Analysis
-
max time kernel
169s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 13:08
Behavioral task
behavioral1
Sample
5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe
Resource
win10v2004-20221111-en
General
-
Target
5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe
-
Size
1.7MB
-
MD5
943933373f4e7ce28a51d25e49135b31
-
SHA1
750c4587191e5555373079f09777667475a7cc77
-
SHA256
5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98
-
SHA512
8b3edb5c948c029f545233b3e4a74476a64aa493e2c30659025fc33e51325fb80f914fc0f2d4c3e2cee9834af2fd45114d6d31d0160104aeed862ab3999549ac
-
SSDEEP
49152:qUCGmlEoSCjwbtr/fgi3JSGiDVk/Wf110F6:qU7//fgi3mDV5f1o6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
cpuz_x64.exepid process 3552 cpuz_x64.exe -
Processes:
resource yara_rule behavioral2/memory/2820-132-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral2/memory/2820-133-0x0000000000400000-0x000000000042C000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.execpuz_x64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cpuz_x64.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
cpuz_x64.exedescription ioc process File opened for modification \??\PhysicalDrive0 cpuz_x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
cpuz_x64.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 cpuz_x64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags cpuz_x64.exe -
Modifies registry class 1 IoCs
Processes:
cpuz_x64.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cpuz_x64.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3972 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cpuz_x64.exepid process 3552 cpuz_x64.exe 3552 cpuz_x64.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 648 648 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cpuz_x64.exedescription pid process Token: SeLoadDriverPrivilege 3552 cpuz_x64.exe Token: SeLoadDriverPrivilege 3552 cpuz_x64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cpuz_x64.exepid process 3552 cpuz_x64.exe 3552 cpuz_x64.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.execpuz_x64.exedescription pid process target process PID 2820 wrote to memory of 3552 2820 5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe cpuz_x64.exe PID 2820 wrote to memory of 3552 2820 5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe cpuz_x64.exe PID 3552 wrote to memory of 3972 3552 cpuz_x64.exe NOTEPAD.EXE PID 3552 wrote to memory of 3972 3552 cpuz_x64.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe"C:\Users\Admin\AppData\Local\Temp\5c734cbcd749d809193e43d615161c27e0a4ae2f217713c67421ff2220835e98.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_3552.log3⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz.iniFilesize
546B
MD5b87e9c6d0382d4e55c7c4672510edd44
SHA1bde5ef78466deb360f37aa259c10d8e12022e588
SHA256191b892d5e60292f5ec66b4d63fe77197167384cf4ec6c9e7f57550f62f8f877
SHA512bd7a7d84de8703ba9514824f8ac95b52b98f0baed2e99b150fd9a9262fcec038a6acf4fe27864fe5b3d554326ba417fe68757a8e8f7211c0c400cae96c5ec29e
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exeFilesize
4.3MB
MD5f9caa69e23612ba60ab4c3ff5277d086
SHA108807e51a1d9fc6c1ec3379c554542aa06edd978
SHA25623248a893ba4c74462940d92f8a466bc7cb7a1623aea5b70a53876b58281ef45
SHA51281ad9874d2b6a46d22708c6ad2e84542591031f1ab6da86a9d023193ad8ff619754a65365fc72a568f272a7d06cb8dd448914889d2bbd8b05a82277bd68382ce
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CPU-Z\cpuz_x64.exeFilesize
4.3MB
MD5f9caa69e23612ba60ab4c3ff5277d086
SHA108807e51a1d9fc6c1ec3379c554542aa06edd978
SHA25623248a893ba4c74462940d92f8a466bc7cb7a1623aea5b70a53876b58281ef45
SHA51281ad9874d2b6a46d22708c6ad2e84542591031f1ab6da86a9d023193ad8ff619754a65365fc72a568f272a7d06cb8dd448914889d2bbd8b05a82277bd68382ce
-
C:\Windows\temp\cpuz_driver_3552.logFilesize
2KB
MD584d6980f50240ee74f6c0213a67361c6
SHA1d5e3d90357635ab662c44d7fd3b7202bc9652478
SHA2565f94ac92b229101714f490f28604bbf6a85dc6c00232272c8592c0e527f3f4af
SHA512d6d8ef0f61ac2b1bd13ca30ba1a4c56e55df00d4851fe5d641d6628aba95315b6feb630d9002c5ce0988fdf09e2436c814382926c2834afb08891e85cc2ab28b
-
memory/2820-132-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2820-133-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3552-134-0x0000000000000000-mapping.dmp
-
memory/3972-138-0x0000000000000000-mapping.dmp