f3a34a03f6e74dfeba15819ca2f3b5faf7915f7d3d76b930dda33c665cdc7c29

Analysis

max time kernel
59s
max time network
42s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-01-2023 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cpu-z_2.03-en.exe
Size

2.0MB
MD5

41d89d403cfceac5a193f9d9fa08f21f
SHA1

bdd09a06e4a3655008bbc521a59c6e01142965c4
SHA256

f3a34a03f6e74dfeba15819ca2f3b5faf7915f7d3d76b930dda33c665cdc7c29
SHA512

9c6b8c1c67ff8cb0c505b228824d21950d3d4bcd00a56ff7389a5a1a5c3d2eacb7b9fae39afcf6c77c9f7c7d44bb9d5e7a8c8544c93876df1f27b91e86cadb3d
SSDEEP

49152:Tyis+sgxHSFUAUZxCCutw2mE8jeNtxGPb8ZFAU1a1:OiZnxHSFGxjf2m3WZR1c

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1408	cpu-z_2.03-en.tmp
1480	_setup64.tmp
1776	cpuz.exe

Loads dropped DLL 9 IoCs

pid	Process
1812	cpu-z_2.03-en.exe
1408	cpu-z_2.03-en.tmp
1408	cpu-z_2.03-en.tmp
1408	cpu-z_2.03-en.tmp
1408	cpu-z_2.03-en.tmp
1312	Process not Found
1312	Process not Found
1312	Process not Found
1312	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cpuz.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\CPUID\CPU-Z\unins000.dat	cpu-z_2.03-en.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-CIPNC.tmp	cpu-z_2.03-en.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-RNHIA.tmp	cpu-z_2.03-en.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-230N6.tmp	cpu-z_2.03-en.tmp
File opened for modification	C:\Program Files\CPUID\CPU-Z\cpuz.ini	cpuz.exe
File opened for modification	C:\Program Files\CPUID\CPU-Z\cpuz.exe	cpu-z_2.03-en.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-537GK.tmp	cpu-z_2.03-en.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-15C6S.tmp	cpu-z_2.03-en.tmp
File opened for modification	C:\Program Files\CPUID\CPU-Z\unins000.dat	cpu-z_2.03-en.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1408	cpu-z_2.03-en.tmp
1408	cpu-z_2.03-en.tmp
1776	cpuz.exe
1776	cpuz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1776	cpuz.exe
Token: SeLoadDriverPrivilege	1776	cpuz.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1408	cpu-z_2.03-en.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1776	cpuz.exe
1776	cpuz.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1408	1812	cpu-z_2.03-en.exe	28
PID 1812 wrote to memory of 1408	1812	cpu-z_2.03-en.exe	28
PID 1812 wrote to memory of 1408	1812	cpu-z_2.03-en.exe	28
PID 1812 wrote to memory of 1408	1812	cpu-z_2.03-en.exe	28
PID 1812 wrote to memory of 1408	1812	cpu-z_2.03-en.exe	28
PID 1812 wrote to memory of 1408	1812	cpu-z_2.03-en.exe	28
PID 1812 wrote to memory of 1408	1812	cpu-z_2.03-en.exe	28
PID 1408 wrote to memory of 1480	1408	cpu-z_2.03-en.tmp	29
PID 1408 wrote to memory of 1480	1408	cpu-z_2.03-en.tmp	29
PID 1408 wrote to memory of 1480	1408	cpu-z_2.03-en.tmp	29
PID 1408 wrote to memory of 1480	1408	cpu-z_2.03-en.tmp	29

C:\Users\Admin\AppData\Local\Temp\cpu-z_2.03-en.exe
"C:\Users\Admin\AppData\Local\Temp\cpu-z_2.03-en.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\is-P9VT6.tmp\cpu-z_2.03-en.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-P9VT6.tmp\cpu-z_2.03-en.tmp" /SL5="$A0022,1869146,58368,C:\Users\Admin\AppData\Local\Temp\cpu-z_2.03-en.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\is-1LG7B.tmp\_isetup\_setup64.tmp
    helper 105 0x200
    3⤵
    - Executes dropped EXE
    PID:1480

C:\Program Files\CPUID\CPU-Z\cpuz.exe
"C:\Program Files\CPUID\CPU-Z\cpuz.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CPUID\CPU-Z\cpuz.exe

Filesize
4.4MB

MD5
230fe0e593855f67ac276298644daa49

SHA1
addda23a8954d4ab8ff1d68280f2b13c33988cf0

SHA256
2f90cfc224fef174fe7dc29de22ca4966854ef9a9700e41665fc7b42f0618494

SHA512
c361eae4267e3bd45bccc150e78750beb9d42c373b24de2312f36cd0d32e0e02c58e8e7554a7ccb7c8978a5e2cfc8478ea8067b2ab43d435f7b469b91e3c99da

Download Submit
C:\Program Files\CPUID\CPU-Z\cpuz.exe

Filesize
4.4MB

MD5
230fe0e593855f67ac276298644daa49

SHA1
addda23a8954d4ab8ff1d68280f2b13c33988cf0

SHA256
2f90cfc224fef174fe7dc29de22ca4966854ef9a9700e41665fc7b42f0618494

SHA512
c361eae4267e3bd45bccc150e78750beb9d42c373b24de2312f36cd0d32e0e02c58e8e7554a7ccb7c8978a5e2cfc8478ea8067b2ab43d435f7b469b91e3c99da

Download Submit
C:\Program Files\CPUID\CPU-Z\cpuz.ini

Filesize
546B

MD5
043ea8b2be558a5ae584fd8e62b548f7

SHA1
5e65076c9dc80e73643530fd12c8b8ca70c40b01

SHA256
b2f17a44b20448084faecf36bce74e6d7d3d57a40f3cb5098f846f8a99053d35

SHA512
b8f2cf849cc8db512759f08b05bb2af04663a2dba766c260c2258a3428a66b69bdedb0b76f640f5e7ed14841b5ef51840830db9c2eff2d6039566fb455d1a572

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1LG7B.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P9VT6.tmp\cpu-z_2.03-en.tmp

Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P9VT6.tmp\cpu-z_2.03-en.tmp

Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe

Filesize
4.4MB

MD5
230fe0e593855f67ac276298644daa49

SHA1
addda23a8954d4ab8ff1d68280f2b13c33988cf0

SHA256
2f90cfc224fef174fe7dc29de22ca4966854ef9a9700e41665fc7b42f0618494

SHA512
c361eae4267e3bd45bccc150e78750beb9d42c373b24de2312f36cd0d32e0e02c58e8e7554a7ccb7c8978a5e2cfc8478ea8067b2ab43d435f7b469b91e3c99da

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe

Filesize
4.4MB

MD5
230fe0e593855f67ac276298644daa49

SHA1
addda23a8954d4ab8ff1d68280f2b13c33988cf0

SHA256
2f90cfc224fef174fe7dc29de22ca4966854ef9a9700e41665fc7b42f0618494

SHA512
c361eae4267e3bd45bccc150e78750beb9d42c373b24de2312f36cd0d32e0e02c58e8e7554a7ccb7c8978a5e2cfc8478ea8067b2ab43d435f7b469b91e3c99da

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe

Filesize
4.4MB

MD5
230fe0e593855f67ac276298644daa49

SHA1
addda23a8954d4ab8ff1d68280f2b13c33988cf0

SHA256
2f90cfc224fef174fe7dc29de22ca4966854ef9a9700e41665fc7b42f0618494

SHA512
c361eae4267e3bd45bccc150e78750beb9d42c373b24de2312f36cd0d32e0e02c58e8e7554a7ccb7c8978a5e2cfc8478ea8067b2ab43d435f7b469b91e3c99da

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe

Filesize
4.4MB

MD5
230fe0e593855f67ac276298644daa49

SHA1
addda23a8954d4ab8ff1d68280f2b13c33988cf0

SHA256
2f90cfc224fef174fe7dc29de22ca4966854ef9a9700e41665fc7b42f0618494

SHA512
c361eae4267e3bd45bccc150e78750beb9d42c373b24de2312f36cd0d32e0e02c58e8e7554a7ccb7c8978a5e2cfc8478ea8067b2ab43d435f7b469b91e3c99da

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe

Filesize
4.4MB

MD5
230fe0e593855f67ac276298644daa49

SHA1
addda23a8954d4ab8ff1d68280f2b13c33988cf0

SHA256
2f90cfc224fef174fe7dc29de22ca4966854ef9a9700e41665fc7b42f0618494

SHA512
c361eae4267e3bd45bccc150e78750beb9d42c373b24de2312f36cd0d32e0e02c58e8e7554a7ccb7c8978a5e2cfc8478ea8067b2ab43d435f7b469b91e3c99da

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe

Filesize
4.4MB

MD5
230fe0e593855f67ac276298644daa49

SHA1
addda23a8954d4ab8ff1d68280f2b13c33988cf0

SHA256
2f90cfc224fef174fe7dc29de22ca4966854ef9a9700e41665fc7b42f0618494

SHA512
c361eae4267e3bd45bccc150e78750beb9d42c373b24de2312f36cd0d32e0e02c58e8e7554a7ccb7c8978a5e2cfc8478ea8067b2ab43d435f7b469b91e3c99da

Download Submit
\Program Files\CPUID\CPU-Z\unins000.exe

Filesize
713KB

MD5
d1c46c8fc337c9c4cbab797137939d53

SHA1
c7fca9d35fff8db9e2b1da7a7ceeb2ab2bdca283

SHA256
798eecebb059f2c27383816be38a2e8ee9a2f05eabd2028fb8d7bcda58caa597

SHA512
5b87b887f09dfd7ccda277168179e7b19a9ad15b09924f081cf45a0a7008fcbc3c1e7cc9d5b278d5463a3be9a1175dc35c1759efcc300ce19ec32e92381acf62

Download Submit
\Users\Admin\AppData\Local\Temp\is-1LG7B.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
\Users\Admin\AppData\Local\Temp\is-P9VT6.tmp\cpu-z_2.03-en.tmp

Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
memory/1408-62-0x0000000074451000-0x0000000074453000-memory.dmp

Filesize
8KB

Download
memory/1408-58-0x0000000000000000-mapping.dmp

Download
memory/1480-67-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/1480-65-0x0000000000000000-mapping.dmp

Download
memory/1812-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1812-61-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1812-76-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1812-55-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download