Analysis

  • max time kernel
    92s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/02/2023, 18:53

General

  • Target

    GPU-Z.2.52.0.exe

  • Size

    9.0MB

  • MD5

    cf7303165b3f1e209fbaba8e03f5b15f

  • SHA1

    84a5b69908ae6231b4c0c986c546fb7fa8d8ed57

  • SHA256

    bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c

  • SHA512

    c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f

  • SSDEEP

    196608:QeEU0VUYugtxC0yMqf46loe+dspAWXVcWDI1pON3bdK+WobUt4Jy99:QYMFg/lHDpn416dK/59

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GPU-Z.2.52.0.exe
    "C:\Users\Admin\AppData\Local\Temp\GPU-Z.2.52.0.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\\gpuz_installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Users\Admin\AppData\Local\Temp\is-DN5BH.tmp\gpuz_installer.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-DN5BH.tmp\gpuz_installer.tmp" /SL5="$D0066,721408,721408,C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4992
        • C:\Program Files (x86)\GPU-Z\GPU-Z.exe
          "C:\Program Files (x86)\GPU-Z\GPU-Z.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2036
  • C:\Program Files (x86)\GPU-Z\GPU-Z.exe
    "C:\Program Files (x86)\GPU-Z\GPU-Z.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    PID:4712

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\GPU-Z\GPU-Z.exe

    Filesize

    9.0MB

    MD5

    cf7303165b3f1e209fbaba8e03f5b15f

    SHA1

    84a5b69908ae6231b4c0c986c546fb7fa8d8ed57

    SHA256

    bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c

    SHA512

    c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f

  • C:\Program Files (x86)\GPU-Z\GPU-Z.exe

    Filesize

    9.0MB

    MD5

    cf7303165b3f1e209fbaba8e03f5b15f

    SHA1

    84a5b69908ae6231b4c0c986c546fb7fa8d8ed57

    SHA256

    bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c

    SHA512

    c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f

  • C:\Program Files (x86)\GPU-Z\GPU-Z.exe

    Filesize

    9.0MB

    MD5

    cf7303165b3f1e209fbaba8e03f5b15f

    SHA1

    84a5b69908ae6231b4c0c986c546fb7fa8d8ed57

    SHA256

    bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c

    SHA512

    c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f

  • C:\Users\Admin\AppData\Local\Temp\GPU-Z-v2.sys

    Filesize

    50KB

    MD5

    079edc2a318b7f36fed13f1c57b067ec

    SHA1

    d62265d9b955b5b12e8ab1dcecde0f257fae9ece

    SHA256

    beb24158f3c09443c70109380c4cffebfe446b9c462a0de949dc6f93345b0f63

    SHA512

    7aed3acf50106b0d0dd7405b8bb205768d1bbfcc6bb7ca7d828c05269809dea7f8e190709856a489963fdedea13922fe44002a1f190eff5440f67a402432ad46

  • C:\Users\Admin\AppData\Local\Temp\GPU-Z.exe

    Filesize

    9.0MB

    MD5

    cf7303165b3f1e209fbaba8e03f5b15f

    SHA1

    84a5b69908ae6231b4c0c986c546fb7fa8d8ed57

    SHA256

    bd1492b119d6fd6e26a90f90365e1d7e02baf0162c2347127a6f47feb89d0c9c

    SHA512

    c8968fb93d16968be774afa9e4637a66ea0e3f94dfcf60a5c3ef702ea3b57b8b1f19c6af3c2d2668f0e2f863046975caa5ac401114e1f05d4682a5a7f6175e6f

  • C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe

    Filesize

    1.4MB

    MD5

    db0fe2fc8b640f81be6103efabb69fc1

    SHA1

    b8ede445e915c83981ec63b5ba5cf32ec4017f01

    SHA256

    6cdfac9a6fd83d7a0b652bd8d5a971a753704302e697c3129dcaa5f2de465a44

    SHA512

    086695eadbc175e1fad454f3aecee927846fc22ad9f99933b89a722e8e48badc1ce0fb77237711aae674086fff0ee9ba875c79c4f67e84800b72723b1426c393

  • C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe

    Filesize

    1.4MB

    MD5

    db0fe2fc8b640f81be6103efabb69fc1

    SHA1

    b8ede445e915c83981ec63b5ba5cf32ec4017f01

    SHA256

    6cdfac9a6fd83d7a0b652bd8d5a971a753704302e697c3129dcaa5f2de465a44

    SHA512

    086695eadbc175e1fad454f3aecee927846fc22ad9f99933b89a722e8e48badc1ce0fb77237711aae674086fff0ee9ba875c79c4f67e84800b72723b1426c393

  • C:\Users\Admin\AppData\Local\Temp\is-DN5BH.tmp\gpuz_installer.tmp

    Filesize

    2.4MB

    MD5

    8e2d270339dcd0a68fbb2f02a65d45dd

    SHA1

    bfcdb1f71692020858f96960e432e94a4e70c4a4

    SHA256

    506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811

    SHA512

    31eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647

  • C:\Users\Admin\AppData\Local\Temp\is-DN5BH.tmp\gpuz_installer.tmp

    Filesize

    2.4MB

    MD5

    8e2d270339dcd0a68fbb2f02a65d45dd

    SHA1

    bfcdb1f71692020858f96960e432e94a4e70c4a4

    SHA256

    506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811

    SHA512

    31eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647

  • memory/1200-149-0x0000000000C60000-0x00000000035C5000-memory.dmp

    Filesize

    41.4MB

  • memory/1200-132-0x0000000000C60000-0x00000000035C5000-memory.dmp

    Filesize

    41.4MB

  • memory/1200-142-0x0000000000C60000-0x00000000035C5000-memory.dmp

    Filesize

    41.4MB

  • memory/1512-148-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

  • memory/1512-141-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

  • memory/1512-135-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

  • memory/2036-147-0x0000000000D60000-0x00000000036C5000-memory.dmp

    Filesize

    41.4MB

  • memory/2036-154-0x0000000000D60000-0x00000000036C5000-memory.dmp

    Filesize

    41.4MB

  • memory/4712-151-0x0000000000D60000-0x00000000036C5000-memory.dmp

    Filesize

    41.4MB

  • memory/4712-153-0x0000000000D60000-0x00000000036C5000-memory.dmp

    Filesize

    41.4MB