Analysis
-
max time kernel
92s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2023, 18:53
General
-
Target
GPU-Z.2.52.0.exe
-
Size
9.0MB
-
MD5
cf7303165b3f1e209fbaba8e03f5b15f
-
SHA1
84a5b69908ae6231b4c0c986c546fb7fa8d8ed57
-
SHA256
bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c
-
SHA512
c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f
-
SSDEEP
196608:QeEU0VUYugtxC0yMqf46loe+dspAWXVcWDI1pON3bdK+WobUt4Jy99:QYMFg/lHDpn416dK/59
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1512 gpuz_installer.exe 4992 gpuz_installer.tmp 2036 GPU-Z.exe 4712 GPU-Z.exe -
resource yara_rule behavioral1/memory/1200-132-0x0000000000C60000-0x00000000035C5000-memory.dmp upx behavioral1/files/0x0009000000022f53-140.dat upx behavioral1/memory/1200-142-0x0000000000C60000-0x00000000035C5000-memory.dmp upx behavioral1/files/0x0006000000022f70-145.dat upx behavioral1/files/0x0006000000022f70-146.dat upx behavioral1/memory/2036-147-0x0000000000D60000-0x00000000036C5000-memory.dmp upx behavioral1/memory/1200-149-0x0000000000C60000-0x00000000035C5000-memory.dmp upx behavioral1/files/0x0006000000022f70-150.dat upx behavioral1/memory/4712-151-0x0000000000D60000-0x00000000036C5000-memory.dmp upx behavioral1/memory/4712-153-0x0000000000D60000-0x00000000036C5000-memory.dmp upx behavioral1/memory/2036-154-0x0000000000D60000-0x00000000036C5000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation gpuz_installer.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\GPU-Z\GPU-Z.exe gpuz_installer.tmp File created C:\Program Files (x86)\GPU-Z\unins000.dat gpuz_installer.tmp File created C:\Program Files (x86)\GPU-Z\is-SIMAF.tmp gpuz_installer.tmp File created C:\Program Files (x86)\GPU-Z\is-E1G22.tmp gpuz_installer.tmp File opened for modification C:\Program Files (x86)\GPU-Z\unins000.dat gpuz_installer.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4992 gpuz_installer.tmp 4992 gpuz_installer.tmp -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 648 Process not Found 648 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1200 GPU-Z.2.52.0.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4992 gpuz_installer.tmp -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1200 GPU-Z.2.52.0.exe 2036 GPU-Z.exe 2036 GPU-Z.exe 2036 GPU-Z.exe 4712 GPU-Z.exe 4712 GPU-Z.exe 4712 GPU-Z.exe 4712 GPU-Z.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1200 wrote to memory of 1512 1200 GPU-Z.2.52.0.exe 78 PID 1200 wrote to memory of 1512 1200 GPU-Z.2.52.0.exe 78 PID 1200 wrote to memory of 1512 1200 GPU-Z.2.52.0.exe 78 PID 1512 wrote to memory of 4992 1512 gpuz_installer.exe 79 PID 1512 wrote to memory of 4992 1512 gpuz_installer.exe 79 PID 1512 wrote to memory of 4992 1512 gpuz_installer.exe 79 PID 4992 wrote to memory of 2036 4992 gpuz_installer.tmp 89 PID 4992 wrote to memory of 2036 4992 gpuz_installer.tmp 89 PID 4992 wrote to memory of 2036 4992 gpuz_installer.tmp 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\GPU-Z.2.52.0.exe"C:\Users\Admin\AppData\Local\Temp\GPU-Z.2.52.0.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe"C:\Users\Admin\AppData\Local\Temp\\gpuz_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\is-DN5BH.tmp\gpuz_installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-DN5BH.tmp\gpuz_installer.tmp" /SL5="$D0066,721408,721408,C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Program Files (x86)\GPU-Z\GPU-Z.exe"C:\Program Files (x86)\GPU-Z\GPU-Z.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2036
-
-
-
-
C:\Program Files (x86)\GPU-Z\GPU-Z.exe"C:\Program Files (x86)\GPU-Z\GPU-Z.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.0MB
MD5cf7303165b3f1e209fbaba8e03f5b15f
SHA184a5b69908ae6231b4c0c986c546fb7fa8d8ed57
SHA256bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c
SHA512c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f
-
Filesize
9.0MB
MD5cf7303165b3f1e209fbaba8e03f5b15f
SHA184a5b69908ae6231b4c0c986c546fb7fa8d8ed57
SHA256bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c
SHA512c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f
-
Filesize
9.0MB
MD5cf7303165b3f1e209fbaba8e03f5b15f
SHA184a5b69908ae6231b4c0c986c546fb7fa8d8ed57
SHA256bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c
SHA512c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f
-
Filesize
50KB
MD5079edc2a318b7f36fed13f1c57b067ec
SHA1d62265d9b955b5b12e8ab1dcecde0f257fae9ece
SHA256beb24158f3c09443c70109380c4cffebfe446b9c462a0de949dc6f93345b0f63
SHA5127aed3acf50106b0d0dd7405b8bb205768d1bbfcc6bb7ca7d828c05269809dea7f8e190709856a489963fdedea13922fe44002a1f190eff5440f67a402432ad46
-
Filesize
9.0MB
MD5cf7303165b3f1e209fbaba8e03f5b15f
SHA184a5b69908ae6231b4c0c986c546fb7fa8d8ed57
SHA256bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c
SHA512c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f
-
Filesize
1.4MB
MD5db0fe2fc8b640f81be6103efabb69fc1
SHA1b8ede445e915c83981ec63b5ba5cf32ec4017f01
SHA2566cdfac9a6fd83d7a0b652bd8d5a971a753704302e697c3129dcaa5f2de465a44
SHA512086695eadbc175e1fad454f3aecee927846fc22ad9f99933b89a722e8e48badc1ce0fb77237711aae674086fff0ee9ba875c79c4f67e84800b72723b1426c393
-
Filesize
1.4MB
MD5db0fe2fc8b640f81be6103efabb69fc1
SHA1b8ede445e915c83981ec63b5ba5cf32ec4017f01
SHA2566cdfac9a6fd83d7a0b652bd8d5a971a753704302e697c3129dcaa5f2de465a44
SHA512086695eadbc175e1fad454f3aecee927846fc22ad9f99933b89a722e8e48badc1ce0fb77237711aae674086fff0ee9ba875c79c4f67e84800b72723b1426c393
-
Filesize
2.4MB
MD58e2d270339dcd0a68fbb2f02a65d45dd
SHA1bfcdb1f71692020858f96960e432e94a4e70c4a4
SHA256506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811
SHA51231eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647
-
Filesize
2.4MB
MD58e2d270339dcd0a68fbb2f02a65d45dd
SHA1bfcdb1f71692020858f96960e432e94a4e70c4a4
SHA256506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811
SHA51231eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647