Overview

overview

8

Static

static

8

5c734cbcd7...98.exe

windows7-x64

8

5c734cbcd7...98.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    169s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe

  • Size

    1.7MB

  • MD5

    943933373f4e7ce28a51d25e49135b31

  • SHA1

    750c4587191e5555373079f09777667475a7cc77

  • SHA256

    5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98

  • SHA512

    8b3edb5c948c029f545233b3e4a74476a64aa493e2c30659025fc33e51325fb80f914fc0f2d4c3e2cee9834af2fd45114d6d31d0160104aeed862ab3999549ac

  • SSDEEP

    49152:qUCGmlEoSCjwbtr/fgi3JSGiDVk/Wf110F6:qU7//fgi3mDV5f1o6

Score
8/10
bootkitpersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe
    "C:\Users\Admin\AppData\Local\Temp\5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Writes to the Master Boot Record (MBR)
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_3552.log
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz.ini
    Filesize

    546B

    MD5

    b87e9c6d0382d4e55c7c4672510edd44

    SHA1

    bde5ef78466deb360f37aa259c10d8e12022e588

    SHA256

    191b892d5e60292f5ec66b4d63fe77197167384cf4ec6c9e7f57550f62f8f877

    SHA512

    bd7a7d84de8703ba9514824f8ac95b52b98f0baed2e99b150fd9a9262fcec038a6acf4fe27864fe5b3d554326ba417fe68757a8e8f7211c0c400cae96c5ec29e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
    Filesize

    4.3MB

    MD5

    f9caa69e23612ba60ab4c3ff5277d086

    SHA1

    08807e51a1d9fc6c1ec3379c554542aa06edd978

    SHA256

    23248a893ba4c74462940d92f8a466bc7cb7a1623aea5b70a53876b58281ef45

    SHA512

    81ad9874d2b6a46d22708c6ad2e84542591031f1ab6da86a9d023193ad8ff619754a65365fc72a568f272a7d06cb8dd448914889d2bbd8b05a82277bd68382ce

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe
    Filesize

    4.3MB

    MD5

    f9caa69e23612ba60ab4c3ff5277d086

    SHA1

    08807e51a1d9fc6c1ec3379c554542aa06edd978

    SHA256

    23248a893ba4c74462940d92f8a466bc7cb7a1623aea5b70a53876b58281ef45

    SHA512

    81ad9874d2b6a46d22708c6ad2e84542591031f1ab6da86a9d023193ad8ff619754a65365fc72a568f272a7d06cb8dd448914889d2bbd8b05a82277bd68382ce

    Download Submit
  • C:\Windows\temp\cpuz_driver_3552.log
    Filesize

    2KB

    MD5

    84d6980f50240ee74f6c0213a67361c6

    SHA1

    d5e3d90357635ab662c44d7fd3b7202bc9652478

    SHA256

    5f94ac92b229101714f490f28604bbf6a85dc6c00232272c8592c0e527f3f4af

    SHA512

    d6d8ef0f61ac2b1bd13ca30ba1a4c56e55df00d4851fe5d641d6628aba95315b6feb630d9002c5ce0988fdf09e2436c814382926c2834afb08891e85cc2ab28b

    Download Submit
  • memory/2820-132-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/2820-133-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/3552-134-0x0000000000000000-mapping.dmp
    Download
  • memory/3972-138-0x0000000000000000-mapping.dmp
    Download