Analysis
-
max time kernel
140s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29-03-2023 02:37
Behavioral task
behavioral1
Sample
e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe
Resource
win10v2004-20230220-en
General
-
Target
e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe
-
Size
1.4MB
-
MD5
8a4d81dbc2c12e6c1dca9822d8d4e373
-
SHA1
fba629cce2b148d7220088421b031cb8d6cdbdeb
-
SHA256
e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b
-
SHA512
9962187b57da69b0bf2da2e4ea12cdfda2c4f5a531ed1cea5b2d95087e4973af5e7c970c490f08728d1ef15b38b303f6666304b833e73cff2ee62d9f93e9f586
-
SSDEEP
24576:qjpl25IzQ4JnFbMzqaIYtWXwjqebU0XvgwuQ9PrEfAHAKF/:qjPOkFSqa3tWXwFbdXIwu0Ik/
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
cpuz_x64.exepid process 1868 cpuz_x64.exe 1264 -
Loads dropped DLL 2 IoCs
Processes:
e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exepid process 1060 e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe 1264 -
Processes:
resource yara_rule behavioral1/memory/1060-58-0x0000000000400000-0x000000000045F000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
cpuz_x64.exedescription ioc process File opened for modification \??\PhysicalDrive0 cpuz_x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1792 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cpuz_x64.exepid process 1868 cpuz_x64.exe 1868 cpuz_x64.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 472 472 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cpuz_x64.exedescription pid process Token: SeLoadDriverPrivilege 1868 cpuz_x64.exe Token: SeLoadDriverPrivilege 1868 cpuz_x64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cpuz_x64.exepid process 1868 cpuz_x64.exe 1868 cpuz_x64.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.execmd.execpuz_x64.exedescription pid process target process PID 1060 wrote to memory of 1016 1060 e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe cmd.exe PID 1060 wrote to memory of 1016 1060 e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe cmd.exe PID 1060 wrote to memory of 1016 1060 e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe cmd.exe PID 1060 wrote to memory of 1016 1060 e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe cmd.exe PID 1016 wrote to memory of 772 1016 cmd.exe attrib.exe PID 1016 wrote to memory of 772 1016 cmd.exe attrib.exe PID 1016 wrote to memory of 772 1016 cmd.exe attrib.exe PID 1060 wrote to memory of 1868 1060 e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe cpuz_x64.exe PID 1060 wrote to memory of 1868 1060 e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe cpuz_x64.exe PID 1060 wrote to memory of 1868 1060 e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe cpuz_x64.exe PID 1060 wrote to memory of 1868 1060 e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe cpuz_x64.exe PID 1868 wrote to memory of 1792 1868 cpuz_x64.exe NOTEPAD.EXE PID 1868 wrote to memory of 1792 1868 cpuz_x64.exe NOTEPAD.EXE PID 1868 wrote to memory of 1792 1868 cpuz_x64.exe NOTEPAD.EXE -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe"C:\Users\Admin\AppData\Local\Temp\e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_1868.log3⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz.iniFilesize
48B
MD570a3a3428b742aeff30451ef3df6aa76
SHA170a2f56779d831aa51fcd4cab11fee51edca145e
SHA256a67f746b3db06b634cec9604b7c37b4b0a783cb2cbddad8818ad04e0db6b1c90
SHA512e2fbdbe6cd4aaf8401c261b08bc60723d832d087ff06c7882aa21fbf06916522ab5115a37ae312d39102037f12bd1f7fd60d24e1c934f135c4d81a6f52c091c8
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exeFilesize
4.3MB
MD50035ba75c4387f632654db37899e74a7
SHA1f2bd794e308155e56d5e9829ee229170d0b4414c
SHA2568e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a
SHA512a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exeFilesize
4.3MB
MD50035ba75c4387f632654db37899e74a7
SHA1f2bd794e308155e56d5e9829ee229170d0b4414c
SHA2568e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a
SHA512a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c
-
C:\Windows\temp\cpuz_driver_1868.logFilesize
2KB
MD53fa72064c98ded1ecca9e4acf947240a
SHA1f1d282049908fa78f6857992930b914967cf8b8b
SHA25692c700ff20e935e5bb81f01d9bd1e0faa9e0a4f0be96e930ac799901dbd9448e
SHA512cf22163db8f3e9a9e1b2a2bb355ca93c4df4cf341d27535377f84d1489cf8aedcc63462c62a8ea42bc19a0afdc73c60f9cb568d4f6418e6c37391035942f9538
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exeFilesize
4.3MB
MD50035ba75c4387f632654db37899e74a7
SHA1f2bd794e308155e56d5e9829ee229170d0b4414c
SHA2568e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a
SHA512a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exeFilesize
4.3MB
MD50035ba75c4387f632654db37899e74a7
SHA1f2bd794e308155e56d5e9829ee229170d0b4414c
SHA2568e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a
SHA512a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exeFilesize
4.3MB
MD50035ba75c4387f632654db37899e74a7
SHA1f2bd794e308155e56d5e9829ee229170d0b4414c
SHA2568e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a
SHA512a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c
-
memory/1060-58-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB