07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-03-2023 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe
Size

2.0MB
MD5

6907cfa5464e6a5913b421825dce7111
SHA1

778d3580e81e7b2bb3a16f17344c58a27fead198
SHA256

07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2
SHA512

cb9576b52183e2f8ceed1f215d544b58520840a70ace574d270fe90f3ecf70f42c9b0595db8b30b50f66704b3bb77339b22a786989cf48d8c1ad3104b10a401e
SSDEEP

49152:sojlbp7NiiL/Dyae5u/yxn6n8hW4qINUcw0l:sqb1Niq/Dyx5u/yoi4U3l

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

cpuz_x64.exe

pid process

916 cpuz_x64.exe
1224

pid	process
916	cpuz_x64.exe
1224

Loads dropped DLL 10 IoCs

Processes:

07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exeWerFault.exe

pid	process
624	07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe
624	07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe
1224
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

cpuz_x64.exe

description ioc process

File opened for modification \??\PhysicalDrive0 cpuz_x64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1320 916 WerFault.exe cpuz_x64.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1052 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cpuz_x64.exe

pid process

916 cpuz_x64.exe
916 cpuz_x64.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

460
460
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cpuz_x64.exe

description pid process

Token: SeLoadDriverPrivilege 916 cpuz_x64.exe
Token: SeLoadDriverPrivilege 916 cpuz_x64.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cpuz_x64.exe

pid process

916 cpuz_x64.exe
916 cpuz_x64.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cpuz_x64.exe

pid	pid_target	process	target process
1320	916	WerFault.exe	cpuz_x64.exe

pid	process
1052	NOTEPAD.EXE

pid	process
916	cpuz_x64.exe
916	cpuz_x64.exe

pid	process
460
460

description	pid	process
Token: SeLoadDriverPrivilege	916	cpuz_x64.exe
Token: SeLoadDriverPrivilege	916	cpuz_x64.exe

pid	process
916	cpuz_x64.exe
916	cpuz_x64.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.execpuz_x64.exe

description	pid	process	target process
PID 624 wrote to memory of 916	624	07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe	cpuz_x64.exe
PID 624 wrote to memory of 916	624	07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe	cpuz_x64.exe
PID 624 wrote to memory of 916	624	07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe	cpuz_x64.exe
PID 624 wrote to memory of 916	624	07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe	cpuz_x64.exe
PID 916 wrote to memory of 1052	916	cpuz_x64.exe	NOTEPAD.EXE
PID 916 wrote to memory of 1052	916	cpuz_x64.exe	NOTEPAD.EXE
PID 916 wrote to memory of 1052	916	cpuz_x64.exe	NOTEPAD.EXE
PID 916 wrote to memory of 1320	916	cpuz_x64.exe	WerFault.exe
PID 916 wrote to memory of 1320	916	cpuz_x64.exe	WerFault.exe
PID 916 wrote to memory of 1320	916	cpuz_x64.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe
"C:\Users\Admin\AppData\Local\Temp\07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
C:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_916.log
3⤵
- Opens file in notepad (likely ransom note)
PID:1052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 916 -s 408
3⤵
- Loads dropped DLL
- Program crash
PID:1320

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz.ini
Filesize
592B

MD5
28cb3f738f57d043403c2150002b294a

SHA1
e5f66cefb0308fec0085fc1c59f8516ce938532d

SHA256
af06ee01ee46fc05953334f880308b1d9efc41bb35e9f6a5ca69fe04e76b6ffb

SHA512
3c866990075b5bbf94801a5eaedcd780d6e897ea38bf9d9b23ff3277e6cf33b72a963133db782d44430d32f028216e296d4d35e3a2ee295d15d3114234f7b0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
33b4d52019b1f915d628f0ba7f75c22b

SHA1
5e27b226f4d5b4c50fa04bf9258c8939453a52eb

SHA256
e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be

SHA512
ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
33b4d52019b1f915d628f0ba7f75c22b

SHA1
5e27b226f4d5b4c50fa04bf9258c8939453a52eb

SHA256
e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be

SHA512
ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab

Download Submit
C:\Windows\temp\cpuz_driver_916.log
Filesize
2KB

MD5
384da674915e7635062ba1d05ff39b39

SHA1
15d812b698899eda426586ac799ca82aed3491b9

SHA256
72718be434f9d7a64fed8c72954e3d7f99544a864a9f083d566440c6801b214f

SHA512
d0354aa31a6cf003f15c515015ae2210bddd65edd7e27a8ba7190143b1f41dd295126fdec5413011b618343beb4e42cb51e656ef918efcd21f388f1e2e29fcc9

Download Submit
\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
33b4d52019b1f915d628f0ba7f75c22b

SHA1
5e27b226f4d5b4c50fa04bf9258c8939453a52eb

SHA256
e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be

SHA512
ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab

Download Submit
\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
33b4d52019b1f915d628f0ba7f75c22b

SHA1
5e27b226f4d5b4c50fa04bf9258c8939453a52eb

SHA256
e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be

SHA512
ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab

Download Submit
\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
33b4d52019b1f915d628f0ba7f75c22b

SHA1
5e27b226f4d5b4c50fa04bf9258c8939453a52eb

SHA256
e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be

SHA512
ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab

Download Submit
\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
33b4d52019b1f915d628f0ba7f75c22b

SHA1
5e27b226f4d5b4c50fa04bf9258c8939453a52eb

SHA256
e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be

SHA512
ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab

Download Submit
\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
33b4d52019b1f915d628f0ba7f75c22b

SHA1
5e27b226f4d5b4c50fa04bf9258c8939453a52eb

SHA256
e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be

SHA512
ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab

Download Submit
\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
33b4d52019b1f915d628f0ba7f75c22b

SHA1
5e27b226f4d5b4c50fa04bf9258c8939453a52eb

SHA256
e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be

SHA512
ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab

Download Submit
\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
33b4d52019b1f915d628f0ba7f75c22b

SHA1
5e27b226f4d5b4c50fa04bf9258c8939453a52eb

SHA256
e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be

SHA512
ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab

Download Submit
\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
33b4d52019b1f915d628f0ba7f75c22b

SHA1
5e27b226f4d5b4c50fa04bf9258c8939453a52eb

SHA256
e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be

SHA512
ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab

Download Submit
\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
33b4d52019b1f915d628f0ba7f75c22b

SHA1
5e27b226f4d5b4c50fa04bf9258c8939453a52eb

SHA256
e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be

SHA512
ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab

Download Submit
\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
33b4d52019b1f915d628f0ba7f75c22b

SHA1
5e27b226f4d5b4c50fa04bf9258c8939453a52eb

SHA256
e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be

SHA512
ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab

Download Submit
\Users\Admin\AppData\Local\Temp\nsoFB24.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit