5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98

General

Target

5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe
Size

1.7MB
MD5

943933373f4e7ce28a51d25e49135b31
SHA1

750c4587191e5555373079f09777667475a7cc77
SHA256

5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98
SHA512

8b3edb5c948c029f545233b3e4a74476a64aa493e2c30659025fc33e51325fb80f914fc0f2d4c3e2cee9834af2fd45114d6d31d0160104aeed862ab3999549ac
SSDEEP

49152:qUCGmlEoSCjwbtr/fgi3JSGiDVk/Wf110F6:qU7//fgi3mDV5f1o6

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

cpuz_x64.exe

pid process

944 cpuz_x64.exe
1260

pid	process
944	cpuz_x64.exe
1260

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1672-55-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1672-67-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe

pid process

1672 5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe
1260
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

cpuz_x64.exe

description ioc process

File opened for modification \??\PhysicalDrive0 cpuz_x64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1648 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cpuz_x64.exe

pid process

944 cpuz_x64.exe
944 cpuz_x64.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

464
464
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cpuz_x64.exe

description pid process

Token: SeLoadDriverPrivilege 944 cpuz_x64.exe
Token: SeLoadDriverPrivilege 944 cpuz_x64.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cpuz_x64.exe

pid process

944 cpuz_x64.exe
944 cpuz_x64.exe

pid	process
1672	5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe
1260

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cpuz_x64.exe

pid	process
1648	NOTEPAD.EXE

pid	process
944	cpuz_x64.exe
944	cpuz_x64.exe

pid	process
464
464

description	pid	process
Token: SeLoadDriverPrivilege	944	cpuz_x64.exe
Token: SeLoadDriverPrivilege	944	cpuz_x64.exe

pid	process
944	cpuz_x64.exe
944	cpuz_x64.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.execpuz_x64.exe

description	pid	process	target process
PID 1672 wrote to memory of 944	1672	5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe	cpuz_x64.exe
PID 1672 wrote to memory of 944	1672	5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe	cpuz_x64.exe
PID 1672 wrote to memory of 944	1672	5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe	cpuz_x64.exe
PID 1672 wrote to memory of 944	1672	5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe	cpuz_x64.exe
PID 944 wrote to memory of 1648	944	cpuz_x64.exe	NOTEPAD.EXE
PID 944 wrote to memory of 1648	944	cpuz_x64.exe	NOTEPAD.EXE
PID 944 wrote to memory of 1648	944	cpuz_x64.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe
"C:\Users\Admin\AppData\Local\Temp\5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_944.log
3⤵
- Opens file in notepad (likely ransom note)
PID:1648

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz.ini
Filesize
546B

MD5
b87e9c6d0382d4e55c7c4672510edd44

SHA1
bde5ef78466deb360f37aa259c10d8e12022e588

SHA256
191b892d5e60292f5ec66b4d63fe77197167384cf4ec6c9e7f57550f62f8f877

SHA512
bd7a7d84de8703ba9514824f8ac95b52b98f0baed2e99b150fd9a9262fcec038a6acf4fe27864fe5b3d554326ba417fe68757a8e8f7211c0c400cae96c5ec29e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
f9caa69e23612ba60ab4c3ff5277d086

SHA1
08807e51a1d9fc6c1ec3379c554542aa06edd978

SHA256
23248a893ba4c74462940d92f8a466bc7cb7a1623aea5b70a53876b58281ef45

SHA512
81ad9874d2b6a46d22708c6ad2e84542591031f1ab6da86a9d023193ad8ff619754a65365fc72a568f272a7d06cb8dd448914889d2bbd8b05a82277bd68382ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
f9caa69e23612ba60ab4c3ff5277d086

SHA1
08807e51a1d9fc6c1ec3379c554542aa06edd978

SHA256
23248a893ba4c74462940d92f8a466bc7cb7a1623aea5b70a53876b58281ef45

SHA512
81ad9874d2b6a46d22708c6ad2e84542591031f1ab6da86a9d023193ad8ff619754a65365fc72a568f272a7d06cb8dd448914889d2bbd8b05a82277bd68382ce

Download Submit
C:\Windows\temp\cpuz_driver_944.log
Filesize
2KB

MD5
baaa4056aac88981fbe95e306215700e

SHA1
3b2894ecd2613fa4b4a7dc70482232016bebb1ac

SHA256
fadb73cb016e08dc36d2e465d02df12c52c24927e0bbc5d04790c7760dff1cd7

SHA512
775a6475b0daec2d9eef3ac26ebdecbd4527b50538c1c44cdb07509546c816cc6d7556a96050dc616a50918716fd88c8661cb91341bce4732e2fc76862b58e74

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
f9caa69e23612ba60ab4c3ff5277d086

SHA1
08807e51a1d9fc6c1ec3379c554542aa06edd978

SHA256
23248a893ba4c74462940d92f8a466bc7cb7a1623aea5b70a53876b58281ef45

SHA512
81ad9874d2b6a46d22708c6ad2e84542591031f1ab6da86a9d023193ad8ff619754a65365fc72a568f272a7d06cb8dd448914889d2bbd8b05a82277bd68382ce

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
f9caa69e23612ba60ab4c3ff5277d086

SHA1
08807e51a1d9fc6c1ec3379c554542aa06edd978

SHA256
23248a893ba4c74462940d92f8a466bc7cb7a1623aea5b70a53876b58281ef45

SHA512
81ad9874d2b6a46d22708c6ad2e84542591031f1ab6da86a9d023193ad8ff619754a65365fc72a568f272a7d06cb8dd448914889d2bbd8b05a82277bd68382ce

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
f9caa69e23612ba60ab4c3ff5277d086

SHA1
08807e51a1d9fc6c1ec3379c554542aa06edd978

SHA256
23248a893ba4c74462940d92f8a466bc7cb7a1623aea5b70a53876b58281ef45

SHA512
81ad9874d2b6a46d22708c6ad2e84542591031f1ab6da86a9d023193ad8ff619754a65365fc72a568f272a7d06cb8dd448914889d2bbd8b05a82277bd68382ce

Download Submit
memory/944-57-0x0000000000000000-mapping.dmp

Download
memory/944-63-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download
memory/1648-64-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1672-67-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing