Analysis
-
max time kernel
36s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 13:08
Behavioral task
behavioral1
Sample
5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe
Resource
win10v2004-20221111-en
General
-
Target
5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe
-
Size
1.7MB
-
MD5
943933373f4e7ce28a51d25e49135b31
-
SHA1
750c4587191e5555373079f09777667475a7cc77
-
SHA256
5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98
-
SHA512
8b3edb5c948c029f545233b3e4a74476a64aa493e2c30659025fc33e51325fb80f914fc0f2d4c3e2cee9834af2fd45114d6d31d0160104aeed862ab3999549ac
-
SSDEEP
49152:qUCGmlEoSCjwbtr/fgi3JSGiDVk/Wf110F6:qU7//fgi3mDV5f1o6
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
cpuz_x64.exepid process 944 cpuz_x64.exe 1260 -
Processes:
resource yara_rule behavioral1/memory/1672-55-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/1672-67-0x0000000000400000-0x000000000042C000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exepid process 1672 5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe 1260 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
cpuz_x64.exedescription ioc process File opened for modification \??\PhysicalDrive0 cpuz_x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1648 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cpuz_x64.exepid process 944 cpuz_x64.exe 944 cpuz_x64.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 464 464 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cpuz_x64.exedescription pid process Token: SeLoadDriverPrivilege 944 cpuz_x64.exe Token: SeLoadDriverPrivilege 944 cpuz_x64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cpuz_x64.exepid process 944 cpuz_x64.exe 944 cpuz_x64.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.execpuz_x64.exedescription pid process target process PID 1672 wrote to memory of 944 1672 5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe cpuz_x64.exe PID 1672 wrote to memory of 944 1672 5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe cpuz_x64.exe PID 1672 wrote to memory of 944 1672 5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe cpuz_x64.exe PID 1672 wrote to memory of 944 1672 5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe cpuz_x64.exe PID 944 wrote to memory of 1648 944 cpuz_x64.exe NOTEPAD.EXE PID 944 wrote to memory of 1648 944 cpuz_x64.exe NOTEPAD.EXE PID 944 wrote to memory of 1648 944 cpuz_x64.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe"C:\Users\Admin\AppData\Local\Temp\5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_944.log3⤵
- Opens file in notepad (likely ransom note)
PID:1648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz.iniFilesize
546B
MD5b87e9c6d0382d4e55c7c4672510edd44
SHA1bde5ef78466deb360f37aa259c10d8e12022e588
SHA256191b892d5e60292f5ec66b4d63fe77197167384cf4ec6c9e7f57550f62f8f877
SHA512bd7a7d84de8703ba9514824f8ac95b52b98f0baed2e99b150fd9a9262fcec038a6acf4fe27864fe5b3d554326ba417fe68757a8e8f7211c0c400cae96c5ec29e
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exeFilesize
4.3MB
MD5f9caa69e23612ba60ab4c3ff5277d086
SHA108807e51a1d9fc6c1ec3379c554542aa06edd978
SHA25623248a893ba4c74462940d92f8a466bc7cb7a1623aea5b70a53876b58281ef45
SHA51281ad9874d2b6a46d22708c6ad2e84542591031f1ab6da86a9d023193ad8ff619754a65365fc72a568f272a7d06cb8dd448914889d2bbd8b05a82277bd68382ce
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exeFilesize
4.3MB
MD5f9caa69e23612ba60ab4c3ff5277d086
SHA108807e51a1d9fc6c1ec3379c554542aa06edd978
SHA25623248a893ba4c74462940d92f8a466bc7cb7a1623aea5b70a53876b58281ef45
SHA51281ad9874d2b6a46d22708c6ad2e84542591031f1ab6da86a9d023193ad8ff619754a65365fc72a568f272a7d06cb8dd448914889d2bbd8b05a82277bd68382ce
-
C:\Windows\temp\cpuz_driver_944.logFilesize
2KB
MD5baaa4056aac88981fbe95e306215700e
SHA13b2894ecd2613fa4b4a7dc70482232016bebb1ac
SHA256fadb73cb016e08dc36d2e465d02df12c52c24927e0bbc5d04790c7760dff1cd7
SHA512775a6475b0daec2d9eef3ac26ebdecbd4527b50538c1c44cdb07509546c816cc6d7556a96050dc616a50918716fd88c8661cb91341bce4732e2fc76862b58e74
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exeFilesize
4.3MB
MD5f9caa69e23612ba60ab4c3ff5277d086
SHA108807e51a1d9fc6c1ec3379c554542aa06edd978
SHA25623248a893ba4c74462940d92f8a466bc7cb7a1623aea5b70a53876b58281ef45
SHA51281ad9874d2b6a46d22708c6ad2e84542591031f1ab6da86a9d023193ad8ff619754a65365fc72a568f272a7d06cb8dd448914889d2bbd8b05a82277bd68382ce
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exeFilesize
4.3MB
MD5f9caa69e23612ba60ab4c3ff5277d086
SHA108807e51a1d9fc6c1ec3379c554542aa06edd978
SHA25623248a893ba4c74462940d92f8a466bc7cb7a1623aea5b70a53876b58281ef45
SHA51281ad9874d2b6a46d22708c6ad2e84542591031f1ab6da86a9d023193ad8ff619754a65365fc72a568f272a7d06cb8dd448914889d2bbd8b05a82277bd68382ce
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exeFilesize
4.3MB
MD5f9caa69e23612ba60ab4c3ff5277d086
SHA108807e51a1d9fc6c1ec3379c554542aa06edd978
SHA25623248a893ba4c74462940d92f8a466bc7cb7a1623aea5b70a53876b58281ef45
SHA51281ad9874d2b6a46d22708c6ad2e84542591031f1ab6da86a9d023193ad8ff619754a65365fc72a568f272a7d06cb8dd448914889d2bbd8b05a82277bd68382ce
-
memory/944-57-0x0000000000000000-mapping.dmp
-
memory/944-63-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmpFilesize
8KB
-
memory/1648-64-0x0000000000000000-mapping.dmp
-
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB
-
memory/1672-55-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1672-67-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB