Overview

overview

9

Static

static

7

HBCD/WinTo...ip.bat

windows7-x64

7

HBCD/WinTo...ip.bat

windows10-2004-x64

7

HBCD/WinTo...er.bat

windows7-x64

7

HBCD/WinTo...er.bat

windows10-2004-x64

9

HBCD/WinTo...ns.bat

windows7-x64

7

HBCD/WinTo...ns.bat

windows10-2004-x64

7

HBCD/WinTo...un.exe

windows7-x64

7

HBCD/WinTo...un.exe

windows10-2004-x64

7

HBCD/WinTo...er.bat

windows7-x64

7

HBCD/WinTo...er.bat

windows10-2004-x64

7

HBCD/WinTo...Uz.bat

windows7-x64

7

HBCD/WinTo...Uz.bat

windows10-2004-x64

7

HBCD/WinTo...ts.bat

windows7-x64

7

HBCD/WinTo...ts.bat

windows10-2004-x64

9

HBCD/WinTo...ix.exe

windows7-x64

9

HBCD/WinTo...ix.exe

windows10-2004-x64

9

HBCD/WinTo...er.bat

windows7-x64

7

HBCD/WinTo...er.bat

windows10-2004-x64

7

HBCD/WinTo...er.bat

windows7-x64

7

HBCD/WinTo...er.bat

windows10-2004-x64

7

HBCD/WinTo...mp.bat

windows7-x64

7

HBCD/WinTo...mp.bat

windows10-2004-x64

7

HBCD/WinTo...NT.exe

windows7-x64

7

HBCD/WinTo...NT.exe

windows10-2004-x64

7

HBCD/WinTo...ix.bat

windows7-x64

7

HBCD/WinTo...ix.bat

windows10-2004-x64

7

HBCD/WinTo...un.bat

windows7-x64

1

HBCD/WinTo...un.bat

windows10-2004-x64

1

HBCD/WinTo...es.bat

windows7-x64

1

HBCD/WinTo...es.bat

windows10-2004-x64

1

HBCD/WinTo...er.bat

windows7-x64

7

HBCD/WinTo...er.bat

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Hiren's.BootCD.9.9.iso

  • Size

    178.2MB

  • Sample

    240630-hdazzsvard

  • MD5

    9b797871bab60ebe80363a26d167b0a4

  • SHA1

    717d2f58f5a4c07417c526e80a7373a972f164e4

  • SHA256

    6b9b0c2be545dc060c19760fb7437a2661c50797797faa167a4b00a9236d4f29

  • SHA512

    606319f733c061c3ee0a4239046410c9a39a744c41199b89b2910188136f3a677b5b5fba7218d6b706c0dce618b632acb61d3902ada51f886d5675a173691e73

  • SSDEEP

    3145728:XWX5lDyn8yv3zS9t97aun6RhooaZ7w1FKoAp6wHzAsWZcwXTxsPOjMPeW:XWXbDynN3zmt9J4ooaBwrXAp6wHzgZ3C

Score
9/10
bootkitevasionpersistenceupx

Malware Config

Targets

    • Target

      HBCD/WinTools/7Zip.bat

    • Size

      89B

    • MD5

      6fd295a4c32bca6f7d6b43ef35867b8c

    • SHA1

      2fa26fb806c945e35b53aee40f186147b6965591

    • SHA256

      16873933aedb621f9f495259a034a0d8225cb37e6a1b2133ac5277e43ae3c680

    • SHA512

      d1e88801d2a46b835286e7494ff63d19001df1dd5f0a0e6ea9bae03bbb6c2f2eaacd08c6df5461ee10ccc3423d199dd0220b540fd7a945ffa14438fac3c3f1d3

    Score
    7/10
    upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      HBCD/WinTools/AsteriskLogger.bat

    • Size

      101B

    • MD5

      7ef7c686018ac499743387a191b72d47

    • SHA1

      925d6476874f791d3006de07f3c274dc363473fb

    • SHA256

      47881a40db65e4c0b62f60614d2d7dcd31fbf8288f3e52e6bddcc6a437a690ec

    • SHA512

      7a63b5a4ef554a006efdbe5209758d63feb73d674b033be351c4d5558e084debe93503737d6661f9191e0ccc6611147c31ccd3aa06ac3d77e6c56944b1cde2a0

    Score
    9/10
    upx

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3behavioral4

    • Target

      HBCD/WinTools/AutoRuns.bat

    • Size

      177B

    • MD5

      7c6ff63cf2cd3eebab87131b49e325bb

    • SHA1

      aa29101b2b09470229b69000826085dc8e1575a1

    • SHA256

      b03cbe7e13c4316a961968f22855b2e90becf7b9fb9464bdc57b0ef822ac2ba2

    • SHA512

      6f77b22e2336a94ed8349517da0654f1e199334a7bbd974d1dee9f9098c676353e8679a32c6fdf1d24c4a04af4d0a1f40424ae870df509ba0555debd0e95e437

    Score
    7/10
    upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5behavioral6

    • Target

      HBCD/WinTools/Autorun.exe

    • Size

      11KB

    • MD5

      e21919d9101c524bf8142f7dde33e4d6

    • SHA1

      f3e48f3edf3a89042b2d99b212c207eef7780c47

    • SHA256

      07282703984dd4ca2a0752c72e7b1518a1864f816ff49cc59434921305dec7df

    • SHA512

      ced587b92d751892039fb45a8e18d2b20c18cc4eee6a586037bb457d4cbf433a0fa272255c6f8a12a747950966d3fd44e4c987377c9f17770a0aad0c22b99808

    • SSDEEP

      192:gG9k28uq+N1Wkow4WiLuiJw6ooh7x5Ohx+tHMSGjRR1XL0A2xZ:3rqy1jiu6P7n1tsFAL

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7behavioral8

    • Target

      HBCD/WinTools/CCleaner.bat

    • Size

      272B

    • MD5

      feada6a65af0556e9893ad1b4267a12d

    • SHA1

      793466b1af949ffee15667b98fba5397bda4f8be

    • SHA256

      870a6bfe8e01fd8ac999a0a8e2fc1bef1bb7d6623f374628e74ff38782771f13

    • SHA512

      20d36db000bd40b80535227edaa0714a1aa451497078d25f6a5828d7a1c303fe61e898d76f4c208b231e550e41f3d8c4028ae59efbe9ce47859d6f2bcd667b25

    Score
    7/10
    upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral10behavioral9

    • Target

      HBCD/WinTools/CPUz.bat

    • Size

      87B

    • MD5

      e73eb157659ef46d72009227c3272a3f

    • SHA1

      504a463baf84aee01becd7ac0296e66c9caa3877

    • SHA256

      b24d59a8861da7c9439138fbf84883a76e03dd00c494fccf30d73a86218e41d4

    • SHA512

      91bbd67f8c964049604cad10dbac67a79258d90d7c4d04114084f6ffb8d0ae0f3556ff06dae6c991843f20a5ca7fad6e714b7fce7aedeab526dfc40c2e2ef319

    Score
    7/10
    upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral11behavioral12

    • Target

      HBCD/WinTools/CPorts.bat

    • Size

      101B

    • MD5

      3ae8e6870c06a7415b230dddd3997680

    • SHA1

      c1ff9787d53a7bd64019db22801ec34c432a0161

    • SHA256

      fa57e4e2b976fa05052f14af7d8e291fb15a09ad99d1b5eeb552de02875e83eb

    • SHA512

      152fabd1b301069b7a5674c94aae2343b48e7db6581e280f20bdcb9266d1f43c0534ba504a08d1673347b3eba99c700c167c7b8e1e7f75707c43dcc58780dbbb

    Score
    9/10
    upx

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral13behavioral14

    • Target

      HBCD/WinTools/ComboFix.exe

    • Size

      2.9MB

    • MD5

      14b582165769a58e64a74e007e7a2e3e

    • SHA1

      ddb5384c93794f0aca59c6d0b384a19028189076

    • SHA256

      ac5700575a0776c7ac6bb2b2fdcd7ea9e2914cfd9ac72dd6d191557aa0479892

    • SHA512

      94079cb6c72991bf6f50ca138136ff9a88302e26239d06e34a39c9df0a736aa3869974b027e1edf12776da9fb743d682384d32d1ce5c1100e34381e283190ccd

    • SSDEEP

      49152:N/cX0+PRzFKDSiNUiVjHhAb5QgDmV/fK0fXU51/Mr84almQAG61ZdwJ0:aJp2+iNCFDo/V/wEYlmeSO0

    Score
    9/10
    evasionpersistenceupx

    • Nirsoft

    • Disables RegEdit via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral15behavioral16

    • Target

      HBCD/WinTools/ContentAdvisorPasswordRemover.bat

    • Size

      105B

    • MD5

      a2c4cb3f9f4a6a0a7a9a25ae2cb9e6b3

    • SHA1

      522dca9ecafe66612808982640ce89fe3b8f6cc2

    • SHA256

      9b7619aa1966f1765dd7b271881fff2a21fa446fd8f0ea29281df7809807ad2d

    • SHA512

      21c172f4afcc5a86d35646971c43453d4e08d3dac94e7f65bd7de1b094f674ab56b86eaa2fcab55b44d42bae5f4b930742066dfcf3097eec5c3d98134e3230d1

    Score
    7/10
    upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral17behavioral18

    • Target

      HBCD/WinTools/CoolWebSearch_Remover.bat

    • Size

      93B

    • MD5

      88f0fbf67a25934e60aed5530797f64c

    • SHA1

      e3b723e43da79b225d8976c80d2ad3aa3113947f

    • SHA256

      3b3390fc5e29bb0843d948ceed046acaa691dd117166ba463af972ed0494cfcf

    • SHA512

      618b6b925187a4a1c083cdeb5e86d378c02874427bfb208b43c6d825c00c23783675bc35d059218cccf9ba5b38b8282dd0ab11facb1f30e98f5bc8d0661bf65c

    Score
    7/10
    upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral19behavioral20

    • Target

      HBCD/WinTools/DTemp.bat

    • Size

      96B

    • MD5

      df678211f71a4c06492c718da2e8f09f

    • SHA1

      b280a8e803553671b05892b8949fd67ec61dfd89

    • SHA256

      a290facbfb11a3554ce2c2dc3e0be3ef3dd771ffaa28ee79fc6dcdd24d074590

    • SHA512

      323d16076685f079f323764565a2244eb0246928e8e298f5be2d61db4ac8924f79d70a58a6c0092a01cc78cfec43c74aac6a926db5a0deca049a9fca5896ade5

    Score
    7/10
    upxbootkitpersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral21behavioral22

    • Target

      HBCD/WinTools/DefragNT.exe

    • Size

      35KB

    • MD5

      3f23fb57818666666879b67b00679b0a

    • SHA1

      58d2d99f833878efbf7c9cf8c8cde8f784470fd6

    • SHA256

      f9e535431bafbd70b1a0f321262f0b8763fad5aa2442430033ff33dccceee207

    • SHA512

      e08dc0226205b71628cabfda8628b012b8f9a2b6cb9bcda6e7d5fc4e5587725e2a1b46aa0bf1a49e2abdc15f3384388b42385c69211c9e6855c01489a11c599d

    • SSDEEP

      768:SJfkEnJs4e+rfZrpw4zousA/wTnCR8Qq2ZmF9:SDXfZqMoo4TCR8x2Zg

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral23behavioral24

    • Target

      HBCD/WinTools/DialAFix.bat

    • Size

      95B

    • MD5

      a9c98bbda5bbd20f48fc57795784caeb

    • SHA1

      8b27ccb07a220c9703775c3bbe31ff56fdb7d4e8

    • SHA256

      86b2ead4191abaabdc5543de1fc355677caa0e0605b4f98ab87554ac046cf555

    • SHA512

      3cb0b17f87e1c486c6dad121b78a316e3a70570fb365cb4d28d89f1419043353d2620e1ef2d8dea650eebb94969ca7cd98850a1263143ab6783d90e9a4c3b8cd

    Score
    7/10
    upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral25behavioral26

    • Target

      HBCD/WinTools/DisableAutorun.bat

    • Size

      307B

    • MD5

      a4feb1d16f5031e391ccca59bf910070

    • SHA1

      ac3815e55f04fe0bd6c32f49bb0d25a382bf51c4

    • SHA256

      f2e1602fc44c1dec54c81ac584222405bd3d4d8209dd751e9d608334379fe000

    • SHA512

      6bbc4f9b1fb87806464fea8279cd59bced681164f34544e5c1fa591e3e54b20f48f14edfb115978546d59ea7d928d59edaf97bb3ab895201d8eca3a33c4112ca

    Score
    1/10
    behavioral27behavioral28

    • Target

      HBCD/WinTools/DisableCompressOldFiles.bat

    • Size

      280B

    • MD5

      0741bc520a918d9e2af36404c088f380

    • SHA1

      23d5d362d2f46c73e80bdd130f7720d918f07175

    • SHA256

      35b0d4a202a43e594d729bc596afd96822c6c758644e9d3596c42e2940487e60

    • SHA512

      b04964645119315800b966744a43f2842b02175fcb40bbdf9f100079b0ff9c0dcc79676aa08d48f2e825c883b89fdb070e591c4c7b8d1099bc523911f206dd68

    Score
    1/10
    behavioral29behavioral30

    • Target

      HBCD/WinTools/DoubleDriver.bat

    • Size

      103B

    • MD5

      6dcab38b0b1b4deddb821e0612d10ee8

    • SHA1

      faf6f59a576bbf5a00e6f2f911699ccf3ff6bb03

    • SHA256

      58ca014d86aa27775f7221a8b6e5de9898d6f3bdfd0b0d7788b354e02d54511d

    • SHA512

      d1aed5721feba12d2c931d60328fcc2abe698cd996a009ac5e136d8c6a195ae2bff829b2bfc3d3779dca09cebf861d8aef00f4e0292fe7292e211771044af79a

    Score
    7/10
    upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

13
T1012

System Information Discovery

25
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

upx
Score
7/10

behavioral1

upx
Score
7/10

behavioral2

upx
Score
7/10

behavioral3

upx
Score
7/10

behavioral4

upx
Score
9/10

behavioral5

upx
Score
7/10

behavioral6

upx
Score
7/10

behavioral7

upx
Score
7/10

behavioral8

upx
Score
7/10

behavioral9

upx
Score
7/10

behavioral10

upx
Score
7/10

behavioral11

upx
Score
7/10

behavioral12

upx
Score
7/10

behavioral13

upx
Score
7/10

behavioral14

upx
Score
9/10

behavioral15

evasionpersistenceupx
Score
9/10

behavioral16

evasionpersistenceupx
Score
9/10

behavioral17

upx
Score
7/10

behavioral18

upx
Score
7/10

behavioral19

upx
Score
7/10

behavioral20

upx
Score
7/10

behavioral21

upx
Score
7/10

behavioral22

bootkitpersistenceupx
Score
7/10

behavioral23

upx
Score
7/10

behavioral24

upx
Score
7/10

behavioral25

upx
Score
7/10

behavioral26

upx
Score
7/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

upx
Score
7/10

behavioral32

upx
Score
7/10