Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2023 13:53
Static task
static1
Behavioral task
behavioral1
Sample
07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe
Resource
win10v2004-20230220-en
General
-
Target
07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe
-
Size
2.0MB
-
MD5
6907cfa5464e6a5913b421825dce7111
-
SHA1
778d3580e81e7b2bb3a16f17344c58a27fead198
-
SHA256
07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2
-
SHA512
cb9576b52183e2f8ceed1f215d544b58520840a70ace574d270fe90f3ecf70f42c9b0595db8b30b50f66704b3bb77339b22a786989cf48d8c1ad3104b10a401e
-
SSDEEP
49152:sojlbp7NiiL/Dyae5u/yxn6n8hW4qINUcw0l:sqb1Niq/Dyx5u/yoi4U3l
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cpuz_x64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation cpuz_x64.exe -
Executes dropped EXE 1 IoCs
Processes:
cpuz_x64.exepid process 1896 cpuz_x64.exe -
Loads dropped DLL 3 IoCs
Processes:
07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exepid process 2644 07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe 2644 07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe 2644 07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
cpuz_x64.exedescription ioc process File opened for modification \??\PhysicalDrive0 cpuz_x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4552 1896 WerFault.exe cpuz_x64.exe -
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
cpuz_x64.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 cpuz_x64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags cpuz_x64.exe -
Modifies registry class 1 IoCs
Processes:
cpuz_x64.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings cpuz_x64.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4492 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cpuz_x64.exepid process 1896 cpuz_x64.exe 1896 cpuz_x64.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 664 664 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cpuz_x64.exedescription pid process Token: SeLoadDriverPrivilege 1896 cpuz_x64.exe Token: SeLoadDriverPrivilege 1896 cpuz_x64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cpuz_x64.exepid process 1896 cpuz_x64.exe 1896 cpuz_x64.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.execpuz_x64.exedescription pid process target process PID 2644 wrote to memory of 1896 2644 07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe cpuz_x64.exe PID 2644 wrote to memory of 1896 2644 07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe cpuz_x64.exe PID 1896 wrote to memory of 4492 1896 cpuz_x64.exe NOTEPAD.EXE PID 1896 wrote to memory of 4492 1896 cpuz_x64.exe NOTEPAD.EXE PID 2644 wrote to memory of 3628 2644 07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe cmd.exe PID 2644 wrote to memory of 3628 2644 07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe cmd.exe PID 2644 wrote to memory of 3628 2644 07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe"C:\Users\Admin\AppData\Local\Temp\07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exeC:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_1896.log3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1896 -s 5083⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.execmd /c rd /s /q %TEMP%2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 1896 -ip 18961⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz.iniFilesize
592B
MD528cb3f738f57d043403c2150002b294a
SHA1e5f66cefb0308fec0085fc1c59f8516ce938532d
SHA256af06ee01ee46fc05953334f880308b1d9efc41bb35e9f6a5ca69fe04e76b6ffb
SHA5123c866990075b5bbf94801a5eaedcd780d6e897ea38bf9d9b23ff3277e6cf33b72a963133db782d44430d32f028216e296d4d35e3a2ee295d15d3114234f7b0ae
-
C:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exeFilesize
4.3MB
MD533b4d52019b1f915d628f0ba7f75c22b
SHA15e27b226f4d5b4c50fa04bf9258c8939453a52eb
SHA256e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be
SHA512ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab
-
C:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exeFilesize
4.3MB
MD533b4d52019b1f915d628f0ba7f75c22b
SHA15e27b226f4d5b4c50fa04bf9258c8939453a52eb
SHA256e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be
SHA512ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab
-
C:\Users\Admin\AppData\Local\Temp\nsc80BF.tmpFilesize
8.3MB
MD528c84c04b273888f66fa7e32a37265ed
SHA1d6b18f74d45926872de06ab67e1f0e35dcacc64d
SHA2563377b5f59c82439c2ca51c130e033ed0710a12f45e0a3719cc57c4e09060abc0
SHA5123ed123c40cdc6fcce391c3126c03f9332396878b844063e4b7d59f159451ce7ae090768d48374d1df1af7988bd52794546b9ea5b484b714ed2311770be325567
-
C:\Users\Admin\AppData\Local\Temp\nsr80CF.tmp\System.dllFilesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
C:\Users\Admin\AppData\Local\Temp\nsr80CF.tmp\System.dllFilesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
C:\Users\Admin\AppData\Local\Temp\nsr80CF.tmp\nsExec.dllFilesize
6KB
MD5e54eb27fb5048964e8d1ec7a1f72334b
SHA12b76d7aedafd724de96532b00fbc6c7c370e4609
SHA256ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824
SHA512c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4
-
C:\Users\Admin\AppData\Local\Temp\nsr80CF.tmp\nsExec.dllFilesize
6KB
MD5e54eb27fb5048964e8d1ec7a1f72334b
SHA12b76d7aedafd724de96532b00fbc6c7c370e4609
SHA256ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824
SHA512c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4
-
C:\Users\Admin\AppData\Local\Temp\nsr80CF.tmp\nsExec.dllFilesize
6KB
MD5e54eb27fb5048964e8d1ec7a1f72334b
SHA12b76d7aedafd724de96532b00fbc6c7c370e4609
SHA256ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824
SHA512c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4
-
C:\Users\Admin\AppData\Local\Temp\nsr80CF.tmp\nsExec.dllFilesize
6KB
MD5e54eb27fb5048964e8d1ec7a1f72334b
SHA12b76d7aedafd724de96532b00fbc6c7c370e4609
SHA256ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824
SHA512c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4
-
C:\Windows\Temp\cpuz_driver_1896.logFilesize
1KB
MD5811fb0b54ecff92bba3831775e23f245
SHA15fee31875d6cf4bd43f81cf93161b75efc50dbef
SHA2560e9d36b64b0a8a3ef7a8808fee0402a07dd3a4e994d69216322f3da237b3a1eb
SHA5124446c78521fa3cbb3b8296694b4106a4d21693b46c98043c05daf3cbee89ee239add5d00bcd94cbfc74456392f8bb0ad7d58fb0c22b6ec2aaf3545df557993b0
-
C:\Windows\Temp\cpuz_driver_1896.logFilesize
1KB
MD5811fb0b54ecff92bba3831775e23f245
SHA15fee31875d6cf4bd43f81cf93161b75efc50dbef
SHA2560e9d36b64b0a8a3ef7a8808fee0402a07dd3a4e994d69216322f3da237b3a1eb
SHA5124446c78521fa3cbb3b8296694b4106a4d21693b46c98043c05daf3cbee89ee239add5d00bcd94cbfc74456392f8bb0ad7d58fb0c22b6ec2aaf3545df557993b0
-
C:\Windows\Temp\cpuz_driver_1896.logFilesize
2KB
MD526cc1227446517bf8e50e491615ae6e0
SHA1e2c2d329784c3df86478837f138e80a5932fac95
SHA256fbd4a2a46934c1f84431c7057567b7a9daec7eed3f089f5d3660140744fa4ef6
SHA512cbbf9635a9d49c94bda46497c5290ef98eaca6a20b98a1adcfb7ff32d364c12bc025cd790300d47f26b0bce8b47ed81da8dfa3326ed7f234b0acd4b52995d1e5
-
C:\Windows\temp\cpuz_driver_1896.logFilesize
2KB
MD5ea3525280c565478c9800702c2b726bf
SHA13fdc7ed71d7eefe200693347ad603fc8b6a23be5
SHA256f9d6cc484d6c695180c55196bc77f745efed8a5e3cef5e7ac4ae815498c01ccb
SHA512b1b402da1261206d54fdb7f821133060258daf14279ec4efee1dc9219e2fd7dbf99a4931a56965dd3653be6d2503a7912d1b2bb1e96b2ab2ee9ffce047600803