bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c

Analysis

max time kernel
92s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2023, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GPU-Z.2.52.0.exe
Size

9.0MB
MD5

cf7303165b3f1e209fbaba8e03f5b15f
SHA1

84a5b69908ae6231b4c0c986c546fb7fa8d8ed57
SHA256

bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c
SHA512

c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f
SSDEEP

196608:QeEU0VUYugtxC0yMqf46loe+dspAWXVcWDI1pON3bdK+WobUt4Jy99:QYMFg/lHDpn416dK/59

Score

8^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1512	gpuz_installer.exe
4992	gpuz_installer.tmp
2036	GPU-Z.exe
4712	GPU-Z.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1200-132-0x0000000000C60000-0x00000000035C5000-memory.dmp	upx
behavioral1/files/0x0009000000022f53-140.dat	upx
behavioral1/memory/1200-142-0x0000000000C60000-0x00000000035C5000-memory.dmp	upx
behavioral1/files/0x0006000000022f70-145.dat	upx
behavioral1/files/0x0006000000022f70-146.dat	upx
behavioral1/memory/2036-147-0x0000000000D60000-0x00000000036C5000-memory.dmp	upx
behavioral1/memory/1200-149-0x0000000000C60000-0x00000000035C5000-memory.dmp	upx
behavioral1/files/0x0006000000022f70-150.dat	upx
behavioral1/memory/4712-151-0x0000000000D60000-0x00000000036C5000-memory.dmp	upx
behavioral1/memory/4712-153-0x0000000000D60000-0x00000000036C5000-memory.dmp	upx
behavioral1/memory/2036-154-0x0000000000D60000-0x00000000036C5000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	gpuz_installer.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GPU-Z\GPU-Z.exe	gpuz_installer.tmp
File created	C:\Program Files (x86)\GPU-Z\unins000.dat	gpuz_installer.tmp
File created	C:\Program Files (x86)\GPU-Z\is-SIMAF.tmp	gpuz_installer.tmp
File created	C:\Program Files (x86)\GPU-Z\is-E1G22.tmp	gpuz_installer.tmp
File opened for modification	C:\Program Files (x86)\GPU-Z\unins000.dat	gpuz_installer.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4992	gpuz_installer.tmp
4992	gpuz_installer.tmp

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	GPU-Z.2.52.0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4992	gpuz_installer.tmp

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1200	GPU-Z.2.52.0.exe
2036	GPU-Z.exe
2036	GPU-Z.exe
2036	GPU-Z.exe
4712	GPU-Z.exe
4712	GPU-Z.exe
4712	GPU-Z.exe
4712	GPU-Z.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1512	1200	GPU-Z.2.52.0.exe	78
PID 1200 wrote to memory of 1512	1200	GPU-Z.2.52.0.exe	78
PID 1200 wrote to memory of 1512	1200	GPU-Z.2.52.0.exe	78
PID 1512 wrote to memory of 4992	1512	gpuz_installer.exe	79
PID 1512 wrote to memory of 4992	1512	gpuz_installer.exe	79
PID 1512 wrote to memory of 4992	1512	gpuz_installer.exe	79
PID 4992 wrote to memory of 2036	4992	gpuz_installer.tmp	89
PID 4992 wrote to memory of 2036	4992	gpuz_installer.tmp	89
PID 4992 wrote to memory of 2036	4992	gpuz_installer.tmp	89

C:\Users\Admin\AppData\Local\Temp\GPU-Z.2.52.0.exe
"C:\Users\Admin\AppData\Local\Temp\GPU-Z.2.52.0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\\gpuz_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\is-DN5BH.tmp\gpuz_installer.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-DN5BH.tmp\gpuz_installer.tmp" /SL5="$D0066,721408,721408,C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Program Files (x86)\GPU-Z\GPU-Z.exe
      "C:\Program Files (x86)\GPU-Z\GPU-Z.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2036

C:\Program Files (x86)\GPU-Z\GPU-Z.exe
"C:\Program Files (x86)\GPU-Z\GPU-Z.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GPU-Z\GPU-Z.exe

Filesize
9.0MB

MD5
cf7303165b3f1e209fbaba8e03f5b15f

SHA1
84a5b69908ae6231b4c0c986c546fb7fa8d8ed57

SHA256
bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c

SHA512
c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f

Download Submit
C:\Program Files (x86)\GPU-Z\GPU-Z.exe

Filesize
9.0MB

MD5
cf7303165b3f1e209fbaba8e03f5b15f

SHA1
84a5b69908ae6231b4c0c986c546fb7fa8d8ed57

SHA256
bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c

SHA512
c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f

Download Submit
C:\Program Files (x86)\GPU-Z\GPU-Z.exe

Filesize
9.0MB

MD5
cf7303165b3f1e209fbaba8e03f5b15f

SHA1
84a5b69908ae6231b4c0c986c546fb7fa8d8ed57

SHA256
bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c

SHA512
c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPU-Z-v2.sys

Filesize
50KB

MD5
079edc2a318b7f36fed13f1c57b067ec

SHA1
d62265d9b955b5b12e8ab1dcecde0f257fae9ece

SHA256
beb24158f3c09443c70109380c4cffebfe446b9c462a0de949dc6f93345b0f63

SHA512
7aed3acf50106b0d0dd7405b8bb205768d1bbfcc6bb7ca7d828c05269809dea7f8e190709856a489963fdedea13922fe44002a1f190eff5440f67a402432ad46

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPU-Z.exe

Filesize
9.0MB

MD5
cf7303165b3f1e209fbaba8e03f5b15f

SHA1
84a5b69908ae6231b4c0c986c546fb7fa8d8ed57

SHA256
bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c

SHA512
c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe

Filesize
1.4MB

MD5
db0fe2fc8b640f81be6103efabb69fc1

SHA1
b8ede445e915c83981ec63b5ba5cf32ec4017f01

SHA256
6cdfac9a6fd83d7a0b652bd8d5a971a753704302e697c3129dcaa5f2de465a44

SHA512
086695eadbc175e1fad454f3aecee927846fc22ad9f99933b89a722e8e48badc1ce0fb77237711aae674086fff0ee9ba875c79c4f67e84800b72723b1426c393

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe

Filesize
1.4MB

MD5
db0fe2fc8b640f81be6103efabb69fc1

SHA1
b8ede445e915c83981ec63b5ba5cf32ec4017f01

SHA256
6cdfac9a6fd83d7a0b652bd8d5a971a753704302e697c3129dcaa5f2de465a44

SHA512
086695eadbc175e1fad454f3aecee927846fc22ad9f99933b89a722e8e48badc1ce0fb77237711aae674086fff0ee9ba875c79c4f67e84800b72723b1426c393

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DN5BH.tmp\gpuz_installer.tmp

Filesize
2.4MB

MD5
8e2d270339dcd0a68fbb2f02a65d45dd

SHA1
bfcdb1f71692020858f96960e432e94a4e70c4a4

SHA256
506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811

SHA512
31eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DN5BH.tmp\gpuz_installer.tmp

Filesize
2.4MB

MD5
8e2d270339dcd0a68fbb2f02a65d45dd

SHA1
bfcdb1f71692020858f96960e432e94a4e70c4a4

SHA256
506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811

SHA512
31eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647

Download Submit
memory/1200-149-0x0000000000C60000-0x00000000035C5000-memory.dmp

Filesize
41.4MB

Download
memory/1200-132-0x0000000000C60000-0x00000000035C5000-memory.dmp

Filesize
41.4MB

Download
memory/1200-142-0x0000000000C60000-0x00000000035C5000-memory.dmp

Filesize
41.4MB

Download
memory/1512-148-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1512-141-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1512-135-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2036-147-0x0000000000D60000-0x00000000036C5000-memory.dmp

Filesize
41.4MB

Download
memory/2036-154-0x0000000000D60000-0x00000000036C5000-memory.dmp

Filesize
41.4MB

Download
memory/4712-151-0x0000000000D60000-0x00000000036C5000-memory.dmp

Filesize
41.4MB

Download
memory/4712-153-0x0000000000D60000-0x00000000036C5000-memory.dmp

Filesize
41.4MB

Download