07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2023 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe
Size

2.0MB
MD5

6907cfa5464e6a5913b421825dce7111
SHA1

778d3580e81e7b2bb3a16f17344c58a27fead198
SHA256

07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2
SHA512

cb9576b52183e2f8ceed1f215d544b58520840a70ace574d270fe90f3ecf70f42c9b0595db8b30b50f66704b3bb77339b22a786989cf48d8c1ad3104b10a401e
SSDEEP

49152:sojlbp7NiiL/Dyae5u/yxn6n8hW4qINUcw0l:sqb1Niq/Dyx5u/yoi4U3l

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cpuz_x64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	cpuz_x64.exe

Executes dropped EXE 1 IoCs

Processes:

cpuz_x64.exe

pid process

1896 cpuz_x64.exe

pid	process
1896	cpuz_x64.exe

Loads dropped DLL 3 IoCs

Processes:

07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe

pid	process
2644	07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe
2644	07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe
2644	07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

cpuz_x64.exe

description ioc process

File opened for modification \??\PhysicalDrive0 cpuz_x64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4552 1896 WerFault.exe cpuz_x64.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cpuz_x64.exe

pid	pid_target	process	target process
4552	1896	WerFault.exe	cpuz_x64.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cpuz_x64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	cpuz_x64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	cpuz_x64.exe

Modifies registry class 1 IoCs

Processes:

cpuz_x64.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings cpuz_x64.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4492 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cpuz_x64.exe

pid process

1896 cpuz_x64.exe
1896 cpuz_x64.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cpuz_x64.exe

description pid process

Token: SeLoadDriverPrivilege 1896 cpuz_x64.exe
Token: SeLoadDriverPrivilege 1896 cpuz_x64.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cpuz_x64.exe

pid process

1896 cpuz_x64.exe
1896 cpuz_x64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	cpuz_x64.exe

pid	process
4492	NOTEPAD.EXE

pid	process
1896	cpuz_x64.exe
1896	cpuz_x64.exe

pid	process
664
664

description	pid	process
Token: SeLoadDriverPrivilege	1896	cpuz_x64.exe
Token: SeLoadDriverPrivilege	1896	cpuz_x64.exe

pid	process
1896	cpuz_x64.exe
1896	cpuz_x64.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.execpuz_x64.exe

description	pid	process	target process
PID 2644 wrote to memory of 1896	2644	07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe	cpuz_x64.exe
PID 2644 wrote to memory of 1896	2644	07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe	cpuz_x64.exe
PID 1896 wrote to memory of 4492	1896	cpuz_x64.exe	NOTEPAD.EXE
PID 1896 wrote to memory of 4492	1896	cpuz_x64.exe	NOTEPAD.EXE
PID 2644 wrote to memory of 3628	2644	07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe	cmd.exe
PID 2644 wrote to memory of 3628	2644	07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe	cmd.exe
PID 2644 wrote to memory of 3628	2644	07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe
"C:\Users\Admin\AppData\Local\Temp\07895bdc63fbeca17c4c2e60885470b60d5c2d12d1905d55c651811e393613c2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
C:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_1896.log
3⤵
- Opens file in notepad (likely ransom note)
PID:4492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1896 -s 508
3⤵
- Program crash
PID:4552

C:\Windows\SysWOW64\cmd.exe
cmd /c rd /s /q %TEMP%
2⤵
PID:3628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 1896 -ip 1896
1⤵
PID:3504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz.ini
Filesize
592B

MD5
28cb3f738f57d043403c2150002b294a

SHA1
e5f66cefb0308fec0085fc1c59f8516ce938532d

SHA256
af06ee01ee46fc05953334f880308b1d9efc41bb35e9f6a5ca69fe04e76b6ffb

SHA512
3c866990075b5bbf94801a5eaedcd780d6e897ea38bf9d9b23ff3277e6cf33b72a963133db782d44430d32f028216e296d4d35e3a2ee295d15d3114234f7b0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
33b4d52019b1f915d628f0ba7f75c22b

SHA1
5e27b226f4d5b4c50fa04bf9258c8939453a52eb

SHA256
e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be

SHA512
ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPU-Z\cpuz_x64.exe
Filesize
4.3MB

MD5
33b4d52019b1f915d628f0ba7f75c22b

SHA1
5e27b226f4d5b4c50fa04bf9258c8939453a52eb

SHA256
e73040bd430e6e4ce21d1a7e49af42b4e5c755d6454f8a51896769aa2a4864be

SHA512
ba8033e0f38223bab5823e8c452b191e1370d9b9c1e80d7334fae30554e506d300523449ecc12493210a29349c93ae2395e8bd930980eefd52c1f30cabd562ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc80BF.tmp
Filesize
8.3MB

MD5
28c84c04b273888f66fa7e32a37265ed

SHA1
d6b18f74d45926872de06ab67e1f0e35dcacc64d

SHA256
3377b5f59c82439c2ca51c130e033ed0710a12f45e0a3719cc57c4e09060abc0

SHA512
3ed123c40cdc6fcce391c3126c03f9332396878b844063e4b7d59f159451ce7ae090768d48374d1df1af7988bd52794546b9ea5b484b714ed2311770be325567

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr80CF.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr80CF.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr80CF.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr80CF.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr80CF.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr80CF.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
C:\Windows\Temp\cpuz_driver_1896.log
Filesize
1KB

MD5
811fb0b54ecff92bba3831775e23f245

SHA1
5fee31875d6cf4bd43f81cf93161b75efc50dbef

SHA256
0e9d36b64b0a8a3ef7a8808fee0402a07dd3a4e994d69216322f3da237b3a1eb

SHA512
4446c78521fa3cbb3b8296694b4106a4d21693b46c98043c05daf3cbee89ee239add5d00bcd94cbfc74456392f8bb0ad7d58fb0c22b6ec2aaf3545df557993b0

Download Submit
C:\Windows\Temp\cpuz_driver_1896.log
Filesize
1KB

MD5
811fb0b54ecff92bba3831775e23f245

SHA1
5fee31875d6cf4bd43f81cf93161b75efc50dbef

SHA256
0e9d36b64b0a8a3ef7a8808fee0402a07dd3a4e994d69216322f3da237b3a1eb

SHA512
4446c78521fa3cbb3b8296694b4106a4d21693b46c98043c05daf3cbee89ee239add5d00bcd94cbfc74456392f8bb0ad7d58fb0c22b6ec2aaf3545df557993b0

Download Submit
C:\Windows\Temp\cpuz_driver_1896.log
Filesize
2KB

MD5
26cc1227446517bf8e50e491615ae6e0

SHA1
e2c2d329784c3df86478837f138e80a5932fac95

SHA256
fbd4a2a46934c1f84431c7057567b7a9daec7eed3f089f5d3660140744fa4ef6

SHA512
cbbf9635a9d49c94bda46497c5290ef98eaca6a20b98a1adcfb7ff32d364c12bc025cd790300d47f26b0bce8b47ed81da8dfa3326ed7f234b0acd4b52995d1e5

Download Submit
C:\Windows\temp\cpuz_driver_1896.log
Filesize
2KB

MD5
ea3525280c565478c9800702c2b726bf

SHA1
3fdc7ed71d7eefe200693347ad603fc8b6a23be5

SHA256
f9d6cc484d6c695180c55196bc77f745efed8a5e3cef5e7ac4ae815498c01ccb

SHA512
b1b402da1261206d54fdb7f821133060258daf14279ec4efee1dc9219e2fd7dbf99a4931a56965dd3653be6d2503a7912d1b2bb1e96b2ab2ee9ffce047600803

Download Submit