e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b

General

Target

e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe
Size

1.4MB
MD5

8a4d81dbc2c12e6c1dca9822d8d4e373
SHA1

fba629cce2b148d7220088421b031cb8d6cdbdeb
SHA256

e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b
SHA512

9962187b57da69b0bf2da2e4ea12cdfda2c4f5a531ed1cea5b2d95087e4973af5e7c970c490f08728d1ef15b38b303f6666304b833e73cff2ee62d9f93e9f586
SSDEEP

24576:qjpl25IzQ4JnFbMzqaIYtWXwjqebU0XvgwuQ9PrEfAHAKF/:qjPOkFSqa3tWXwFbdXIwu0Ik/

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

cpuz_x64.exe

pid process

1868 cpuz_x64.exe
1264
Loads dropped DLL 2 IoCs

Processes:

e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe

pid process

1060 e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe
1264

pid	process
1868	cpuz_x64.exe
1264

pid	process
1060	e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe
1264

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1060-58-0x0000000000400000-0x000000000045F000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

cpuz_x64.exe

description ioc process

File opened for modification \??\PhysicalDrive0 cpuz_x64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1792 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cpuz_x64.exe

pid process

1868 cpuz_x64.exe
1868 cpuz_x64.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

472
472
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cpuz_x64.exe

description pid process

Token: SeLoadDriverPrivilege 1868 cpuz_x64.exe
Token: SeLoadDriverPrivilege 1868 cpuz_x64.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cpuz_x64.exe

pid process

1868 cpuz_x64.exe
1868 cpuz_x64.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cpuz_x64.exe

pid	process
1792	NOTEPAD.EXE

pid	process
1868	cpuz_x64.exe
1868	cpuz_x64.exe

pid	process
472
472

description	pid	process
Token: SeLoadDriverPrivilege	1868	cpuz_x64.exe
Token: SeLoadDriverPrivilege	1868	cpuz_x64.exe

pid	process
1868	cpuz_x64.exe
1868	cpuz_x64.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.execmd.execpuz_x64.exe

description	pid	process	target process
PID 1060 wrote to memory of 1016	1060	e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe	cmd.exe
PID 1060 wrote to memory of 1016	1060	e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe	cmd.exe
PID 1060 wrote to memory of 1016	1060	e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe	cmd.exe
PID 1060 wrote to memory of 1016	1060	e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe	cmd.exe
PID 1016 wrote to memory of 772	1016	cmd.exe	attrib.exe
PID 1016 wrote to memory of 772	1016	cmd.exe	attrib.exe
PID 1016 wrote to memory of 772	1016	cmd.exe	attrib.exe
PID 1060 wrote to memory of 1868	1060	e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe	cpuz_x64.exe
PID 1060 wrote to memory of 1868	1060	e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe	cpuz_x64.exe
PID 1060 wrote to memory of 1868	1060	e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe	cpuz_x64.exe
PID 1060 wrote to memory of 1868	1060	e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe	cpuz_x64.exe
PID 1868 wrote to memory of 1792	1868	cpuz_x64.exe	NOTEPAD.EXE
PID 1868 wrote to memory of 1792	1868	cpuz_x64.exe	NOTEPAD.EXE
PID 1868 wrote to memory of 1792	1868	cpuz_x64.exe	NOTEPAD.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

772 attrib.exe

pid	process
772	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe
"C:\Users\Admin\AppData\Local\Temp\e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
2⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
3⤵
- Views/modifies file attributes
PID:772

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_1868.log
3⤵
- Opens file in notepad (likely ransom note)
PID:1792

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz.ini
Filesize
48B

MD5
70a3a3428b742aeff30451ef3df6aa76

SHA1
70a2f56779d831aa51fcd4cab11fee51edca145e

SHA256
a67f746b3db06b634cec9604b7c37b4b0a783cb2cbddad8818ad04e0db6b1c90

SHA512
e2fbdbe6cd4aaf8401c261b08bc60723d832d087ff06c7882aa21fbf06916522ab5115a37ae312d39102037f12bd1f7fd60d24e1c934f135c4d81a6f52c091c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe
Filesize
4.3MB

MD5
0035ba75c4387f632654db37899e74a7

SHA1
f2bd794e308155e56d5e9829ee229170d0b4414c

SHA256
8e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a

SHA512
a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe
Filesize
4.3MB

MD5
0035ba75c4387f632654db37899e74a7

SHA1
f2bd794e308155e56d5e9829ee229170d0b4414c

SHA256
8e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a

SHA512
a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c

Download Submit
C:\Windows\temp\cpuz_driver_1868.log
Filesize
2KB

MD5
3fa72064c98ded1ecca9e4acf947240a

SHA1
f1d282049908fa78f6857992930b914967cf8b8b

SHA256
92c700ff20e935e5bb81f01d9bd1e0faa9e0a4f0be96e930ac799901dbd9448e

SHA512
cf22163db8f3e9a9e1b2a2bb355ca93c4df4cf341d27535377f84d1489cf8aedcc63462c62a8ea42bc19a0afdc73c60f9cb568d4f6418e6c37391035942f9538

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe
Filesize
4.3MB

MD5
0035ba75c4387f632654db37899e74a7

SHA1
f2bd794e308155e56d5e9829ee229170d0b4414c

SHA256
8e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a

SHA512
a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe
Filesize
4.3MB

MD5
0035ba75c4387f632654db37899e74a7

SHA1
f2bd794e308155e56d5e9829ee229170d0b4414c

SHA256
8e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a

SHA512
a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe
Filesize
4.3MB

MD5
0035ba75c4387f632654db37899e74a7

SHA1
f2bd794e308155e56d5e9829ee229170d0b4414c

SHA256
8e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a

SHA512
a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c

Download Submit
memory/1060-58-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing