6a0abd8c583a6c924103f93c6e32c112d05c858db9644dc343a41984b2ee9686

Resubmissions

25-03-2023 06:42

230325-hgjfjabe55 7

25-03-2023 06:08

230325-gwdm6abd89 7

25-03-2023 05:23

230325-f3nk9sbc99 7

Analysis

max time kernel
1091s
max time network
1004s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2023 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Geekbench-6.0.1-WindowsSetup.exe
Size

254.6MB
MD5

ee547dc6a9e4321d52188c2941f48eee
SHA1

533755a280a0fddcc3d52d3a66d00d9f83a263ea
SHA256

6a0abd8c583a6c924103f93c6e32c112d05c858db9644dc343a41984b2ee9686
SHA512

2c1d422686b0312b971f74c990d604b456dcce5c6ac3169e4b19c617552fc9ebeae17b01e70fdb760a7b5af299734243e967c63a9843fe554831688ff972e9e6
SSDEEP

6291456:jLxHNDnucDaMUqyTDNe2MOa242eBDrs7geBpmuyAvX3:ZHpnuVMUd/3MOa4eBAlBzl

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Geekbench 6.exegeekbench_avx2.exe

pid process

3368 Geekbench 6.exe
4920 geekbench_avx2.exe

pid	process
3368	Geekbench 6.exe
4920	geekbench_avx2.exe

Loads dropped DLL 6 IoCs

Processes:

Geekbench-6.0.1-WindowsSetup.exeGeekbench 6.exegeekbench_avx2.exe

pid	process
1452	Geekbench-6.0.1-WindowsSetup.exe
1452	Geekbench-6.0.1-WindowsSetup.exe
1452	Geekbench-6.0.1-WindowsSetup.exe
3368	Geekbench 6.exe
3368	Geekbench 6.exe
4920	geekbench_avx2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Geekbench 6.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Geekbench 6.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Geekbench 6.exe

Drops file in Program Files directory 10 IoCs

Processes:

Geekbench-6.0.1-WindowsSetup.exe

description	ioc	process
File created	C:\Program Files (x86)\Geekbench 6\Geekbench 6.exe	Geekbench-6.0.1-WindowsSetup.exe
File created	C:\Program Files (x86)\Geekbench 6\geekbench_x86_64.exe	Geekbench-6.0.1-WindowsSetup.exe
File created	C:\Program Files (x86)\Geekbench 6\pl_opencl_x86_64.dll	Geekbench-6.0.1-WindowsSetup.exe
File created	C:\Program Files (x86)\Geekbench 6\geekbench.plar	Geekbench-6.0.1-WindowsSetup.exe
File created	C:\Program Files (x86)\Geekbench 6\geekbench-workload.plar	Geekbench-6.0.1-WindowsSetup.exe
File created	C:\Program Files (x86)\Geekbench 6\Uninstall.exe	Geekbench-6.0.1-WindowsSetup.exe
File created	C:\Program Files (x86)\Geekbench 6\geekbench6.exe	Geekbench-6.0.1-WindowsSetup.exe
File created	C:\Program Files (x86)\Geekbench 6\amd_ags_x64.dll	Geekbench-6.0.1-WindowsSetup.exe
File created	C:\Program Files (x86)\Geekbench 6\cpuidsdk64.dll	Geekbench-6.0.1-WindowsSetup.exe
File created	C:\Program Files (x86)\Geekbench 6\geekbench_avx2.exe	Geekbench-6.0.1-WindowsSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3864 4920 WerFault.exe geekbench_avx2.exe

pid	pid_target	process	target process
3864	4920	WerFault.exe	geekbench_avx2.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Geekbench 6.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Geekbench 6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Geekbench 6.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Geekbench 6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Geekbench 6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Geekbench 6.exe = "11001"	Geekbench 6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Geekbench 6.exe

pid process

3368 Geekbench 6.exe
3368 Geekbench 6.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Geekbench 6.exe

description pid process

Token: SeLoadDriverPrivilege 3368 Geekbench 6.exe
Token: SeLoadDriverPrivilege 3368 Geekbench 6.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Geekbench 6.exe

pid process

3368 Geekbench 6.exe
3368 Geekbench 6.exe
3368 Geekbench 6.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Geekbench 6.exe

pid process

3368 Geekbench 6.exe
3368 Geekbench 6.exe

pid	process
3368	Geekbench 6.exe
3368	Geekbench 6.exe

pid	process
676
676

description	pid	process
Token: SeLoadDriverPrivilege	3368	Geekbench 6.exe
Token: SeLoadDriverPrivilege	3368	Geekbench 6.exe

pid	process
3368	Geekbench 6.exe
3368	Geekbench 6.exe
3368	Geekbench 6.exe

pid	process
3368	Geekbench 6.exe
3368	Geekbench 6.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Geekbench-6.0.1-WindowsSetup.exeGeekbench 6.exe

description	pid	process	target process
PID 1452 wrote to memory of 3368	1452	Geekbench-6.0.1-WindowsSetup.exe	Geekbench 6.exe
PID 1452 wrote to memory of 3368	1452	Geekbench-6.0.1-WindowsSetup.exe	Geekbench 6.exe
PID 3368 wrote to memory of 4920	3368	Geekbench 6.exe	geekbench_avx2.exe
PID 3368 wrote to memory of 4920	3368	Geekbench 6.exe	geekbench_avx2.exe

C:\Users\Admin\AppData\Local\Temp\Geekbench-6.0.1-WindowsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Geekbench-6.0.1-WindowsSetup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1452

C:\Program Files (x86)\Geekbench 6\Geekbench 6.exe
"C:\Program Files (x86)\Geekbench 6\Geekbench 6.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3368

C:\Program Files (x86)\Geekbench 6\geekbench_avx2.exe
"C:\Program Files (x86)\Geekbench 6\geekbench_avx2.exe" --backend --cpu --iterations 0 --workers 0 --channel \\.\pipe\rosedale.3368.0
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4920 -s 480
4⤵
- Program crash
PID:3864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 4920 -ip 4920
1⤵
PID:3996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Geekbench 6\Geekbench 6.exe
Filesize
55.7MB

MD5
8ff6be41067e294d76f0701c3c999446

SHA1
9b5e078f371e9954831ee212f8b6c0fe7441d0a7

SHA256
01a5992aaf79d0d68ca8e0565de3c2e21999ec56873c2c68ed90bb8a7dab4b3c

SHA512
8d1f08857676de68f2cbf4f07de84508630141c3d44227a0fc0065070508cc82dda2d0a716c0228b9e78073828e34fec2526c8813ca0aa1fd01151f17eb794a9

Download Submit
C:\Program Files (x86)\Geekbench 6\Geekbench 6.exe
Filesize
55.7MB

MD5
8ff6be41067e294d76f0701c3c999446

SHA1
9b5e078f371e9954831ee212f8b6c0fe7441d0a7

SHA256
01a5992aaf79d0d68ca8e0565de3c2e21999ec56873c2c68ed90bb8a7dab4b3c

SHA512
8d1f08857676de68f2cbf4f07de84508630141c3d44227a0fc0065070508cc82dda2d0a716c0228b9e78073828e34fec2526c8813ca0aa1fd01151f17eb794a9

Download Submit
C:\Program Files (x86)\Geekbench 6\amd_ags_x64.dll
Filesize
161KB

MD5
03b30f558124e1f77e54ed6878513143

SHA1
38941e25d2e3081e1b0bbf0e410f7a473a3dada9

SHA256
a1c8af8d9516f57418173d651b869dca6599d6808b5cf9093b9680d77c483bfa

SHA512
c95e87bc8fadc55b22093fe2d45773d9da3567e66255f870b7bc873ffc0e7ba0e88c7f234519e43da969eb2ad8bc17e3a0a6fb68fa676c91adc86b5815ef4f70

Download Submit
C:\Program Files (x86)\Geekbench 6\amd_ags_x64.dll
Filesize
161KB

MD5
03b30f558124e1f77e54ed6878513143

SHA1
38941e25d2e3081e1b0bbf0e410f7a473a3dada9

SHA256
a1c8af8d9516f57418173d651b869dca6599d6808b5cf9093b9680d77c483bfa

SHA512
c95e87bc8fadc55b22093fe2d45773d9da3567e66255f870b7bc873ffc0e7ba0e88c7f234519e43da969eb2ad8bc17e3a0a6fb68fa676c91adc86b5815ef4f70

Download Submit
C:\Program Files (x86)\Geekbench 6\cpuidsdk64.dll
Filesize
2.3MB

MD5
a76f7550e11c2ecb5fb7a7a0b14b5859

SHA1
bdd3c756cd8217a7d4ac5a4481bd29544255f3ac

SHA256
69c5b89ed32b47d8df0ab95e18e8e6149c97d6d4a647591e78e0f4eb3baa26c8

SHA512
e34d51827814f3d0675f350d60bb8b1297c17ceb89e87507c083af62e6a9e96c23c23fda4fad8ae9006f2769d6deff9230fe1c57db77a7315fdb35c1039bf4ad

Download Submit
C:\Program Files (x86)\Geekbench 6\cpuidsdk64.dll
Filesize
2.3MB

MD5
a76f7550e11c2ecb5fb7a7a0b14b5859

SHA1
bdd3c756cd8217a7d4ac5a4481bd29544255f3ac

SHA256
69c5b89ed32b47d8df0ab95e18e8e6149c97d6d4a647591e78e0f4eb3baa26c8

SHA512
e34d51827814f3d0675f350d60bb8b1297c17ceb89e87507c083af62e6a9e96c23c23fda4fad8ae9006f2769d6deff9230fe1c57db77a7315fdb35c1039bf4ad

Download Submit
C:\Program Files (x86)\Geekbench 6\geekbench-workload.plar
Filesize
374.6MB

MD5
caadcca239940e02291ded648d1ec1ae

SHA1
b7113979a23ef1f3efbc50b1647bfc0f001714a4

SHA256
26a4ce63c0dfa49c2870b5a835dec1d0167f43da47ff7a173e77b00174571d6d

SHA512
5416a3dfa950a01bfaf9804dfce4d287860a18a74ebfbc16765bc2714cfe7891f7dbc7e91d1e1c5dee100120fa16aada638bb1c610fc913a25b89e91e079b0b6

Download Submit
C:\Program Files (x86)\Geekbench 6\geekbench.plar
Filesize
4.1MB

MD5
01996fbc5b0b156abd2fc8260c2a49e2

SHA1
94d89e8f288bfbec20ad0c68110431dee12a4a8e

SHA256
853fa99a8e533a9059f0eb5791dfa021b800f930c3af4e557733bad72b5994ff

SHA512
6432940c2faad24cf37724b1ada4d191a2052d9597ea2869cbb3abd4b4953bf19ca0162871cdde7af6efe3ac399e523576fee00e4c895e69aae0358c77eefeb6

Download Submit
C:\Program Files (x86)\Geekbench 6\geekbench_avx2.exe
Filesize
60.7MB

MD5
f7c6b40052731d6d4dae27282077a6b5

SHA1
9818d92d20823964cba312d2cae1c83f1515815e

SHA256
719d1a6b881ba30323eb396d240c8dd41259baa90de5bc5d900a9ac672963385

SHA512
0a52a179fed914d239e7cb400b32b2a2716a1d1b039f005666761e3c3c4bca056bacb97ff00902690b1feea95fe7b5aed3c929e43029552e10d44addc9a3601d

Download Submit
C:\Program Files (x86)\Geekbench 6\geekbench_avx2.exe
Filesize
60.7MB

MD5
f7c6b40052731d6d4dae27282077a6b5

SHA1
9818d92d20823964cba312d2cae1c83f1515815e

SHA256
719d1a6b881ba30323eb396d240c8dd41259baa90de5bc5d900a9ac672963385

SHA512
0a52a179fed914d239e7cb400b32b2a2716a1d1b039f005666761e3c3c4bca056bacb97ff00902690b1feea95fe7b5aed3c929e43029552e10d44addc9a3601d

Download Submit
C:\Program Files (x86)\Geekbench 6\pl_opencl_x86_64.dll
Filesize
106KB

MD5
9938ce0dc0ec464e8d2917c6ff0e4614

SHA1
a8c20c449d3512e2f492d2b25fa8c42d0265e3fd

SHA256
e425df49f1b26194adf5409359f442aad256c291a8188e24957cb572f165d498

SHA512
4447e5186cbcd8863d9212c1be9c16b360e324ba7aa23dc191e029b0ee3677c1db4db2564fe6f21e7ef234d61a6a745aa10fc0f165de199ee47e432caa0612f2

Download Submit
C:\Program Files (x86)\Geekbench 6\pl_opencl_x86_64.dll
Filesize
106KB

MD5
9938ce0dc0ec464e8d2917c6ff0e4614

SHA1
a8c20c449d3512e2f492d2b25fa8c42d0265e3fd

SHA256
e425df49f1b26194adf5409359f442aad256c291a8188e24957cb572f165d498

SHA512
4447e5186cbcd8863d9212c1be9c16b360e324ba7aa23dc191e029b0ee3677c1db4db2564fe6f21e7ef234d61a6a745aa10fc0f165de199ee47e432caa0612f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseB81B.tmp\InstallOptions.dll
Filesize
14KB

MD5
5f35212d7e90ee622b10be39b09bd270

SHA1
c4bc9593902adf6daaef37e456dc6100d50d0925

SHA256
31944b93e44301974d9c6f810d2da792e34a53dcacd619a08cb0385ac59e513d

SHA512
7514810367f56d994c6d5703b56ac16124fab5dfdcfbe337d4413274c1ff9037a2ee623e49ab2fb6227412ab29fcc49a3ada1391910d44c2b5de0adeb3e7c2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseB81B.tmp\StartMenu.dll
Filesize
7KB

MD5
26836307758e048d1ce0afe754d6a972

SHA1
23a8f45cf5e2ad78add3c4dd3b3cf15fffced2cc

SHA256
a6919f5f3b53a9c8c015413babe7a9872491a2583e49bb3c261e60785c3c3534

SHA512
aaf7cfbb9c6951b65bd377db401617812f1d47960a01ae99164183c642fbd8f1ce08720bc92d26b642da5433b80720dfcd96280a162decf678139966be132746

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseB81B.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseB81B.tmp\ioSpecial.ini
Filesize
712B

MD5
70f1000eaa9fc70444405dbc2c520d7f

SHA1
4f5c127a666b1a64de57b7ddced33565af32b1bb

SHA256
464d196d275943324608677210a7da5cc66162dba38a38291c0656778e08860e

SHA512
0dd4e49bb3824f7189bf666963442a6aa68f48c1af199ecc2ffdedc8de5f371b539bcea4a02959b29e423e77fe18ecc18e04a7e76d5e7f0a407aaaf7bd746045

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseB81B.tmp\ioSpecial.ini
Filesize
778B

MD5
331568dcb49af9a7f19c36efb1236722

SHA1
ccc138ae47f20f904f8bf1b5d025fc75e128e097

SHA256
c6683c168969196e558f4df6c1db533223105b1de0aff3ce8f92eec95fdb08c0

SHA512
b056b9e09edf1b525fef42c2293887a7b874b8bf0b1e7c3c1fc858145c7747aa5f816085266e0dca2fc7c8a482755408e2311e4ee75fccc6e0255437e8c2fa13

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseB81B.tmp\ioSpecial.ini
Filesize
778B

MD5
5667bb250cd8764a63a9cacb9dc5ba62

SHA1
c62dcec518339342e3c7538178f032f989fd727b

SHA256
b5d729143a6b9e11104ccab638cdf8b3b9af5491e0a004ea3ca8eed6bf68d4b0

SHA512
f5ea09caf3db18dd14302ac0c8f2ef0f64c59fc2f36775bb64a98d50060adcc3b50d977248102033a37070013e21fdf60fd81ea638f5a16c106a83d5acbd1ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseB81B.tmp\ioSpecial.ini
Filesize
804B

MD5
a790807ad2a31d62369bd703c8d4a2ce

SHA1
aecd605059818ddd38930d3311990a76e596b47a

SHA256
f13fcf92363bb8ea99e406a8fcf6648139f23051a47fb5ecf605cb875be47471

SHA512
2e129199bf98016b441965bb22173bde1d108823f64a9f3721ba11a344c14c0f22281f14ad2398dfc8656ff690bc20bdac55b87aed78f845cac74e8500bf72ea

Download Submit