Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2023 02:37
Behavioral task
behavioral1
Sample
e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe
Resource
win10v2004-20230220-en
General
-
Target
e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe
-
Size
1.4MB
-
MD5
8a4d81dbc2c12e6c1dca9822d8d4e373
-
SHA1
fba629cce2b148d7220088421b031cb8d6cdbdeb
-
SHA256
e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b
-
SHA512
9962187b57da69b0bf2da2e4ea12cdfda2c4f5a531ed1cea5b2d95087e4973af5e7c970c490f08728d1ef15b38b303f6666304b833e73cff2ee62d9f93e9f586
-
SSDEEP
24576:qjpl25IzQ4JnFbMzqaIYtWXwjqebU0XvgwuQ9PrEfAHAKF/:qjPOkFSqa3tWXwFbdXIwu0Ik/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cpuz_x64.exee9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation cpuz_x64.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe -
Executes dropped EXE 1 IoCs
Processes:
cpuz_x64.exepid process 4244 cpuz_x64.exe -
Processes:
resource yara_rule behavioral2/memory/932-133-0x0000000000400000-0x000000000045F000-memory.dmp upx behavioral2/memory/932-192-0x0000000000400000-0x000000000045F000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
cpuz_x64.exedescription ioc process File opened for modification \??\PhysicalDrive0 cpuz_x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
cpuz_x64.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 cpuz_x64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags cpuz_x64.exe -
Modifies registry class 1 IoCs
Processes:
cpuz_x64.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings cpuz_x64.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 552 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cpuz_x64.exepid process 4244 cpuz_x64.exe 4244 cpuz_x64.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 668 668 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cpuz_x64.exedescription pid process Token: SeLoadDriverPrivilege 4244 cpuz_x64.exe Token: SeLoadDriverPrivilege 4244 cpuz_x64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cpuz_x64.exepid process 4244 cpuz_x64.exe 4244 cpuz_x64.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.execmd.execpuz_x64.exedescription pid process target process PID 932 wrote to memory of 2360 932 e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe cmd.exe PID 932 wrote to memory of 2360 932 e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe cmd.exe PID 2360 wrote to memory of 4512 2360 cmd.exe attrib.exe PID 2360 wrote to memory of 4512 2360 cmd.exe attrib.exe PID 932 wrote to memory of 4244 932 e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe cpuz_x64.exe PID 932 wrote to memory of 4244 932 e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe cpuz_x64.exe PID 4244 wrote to memory of 552 4244 cpuz_x64.exe NOTEPAD.EXE PID 4244 wrote to memory of 552 4244 cpuz_x64.exe NOTEPAD.EXE -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe"C:\Users\Admin\AppData\Local\Temp\e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_4244.log3⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz.iniFilesize
48B
MD570a3a3428b742aeff30451ef3df6aa76
SHA170a2f56779d831aa51fcd4cab11fee51edca145e
SHA256a67f746b3db06b634cec9604b7c37b4b0a783cb2cbddad8818ad04e0db6b1c90
SHA512e2fbdbe6cd4aaf8401c261b08bc60723d832d087ff06c7882aa21fbf06916522ab5115a37ae312d39102037f12bd1f7fd60d24e1c934f135c4d81a6f52c091c8
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exeFilesize
4.3MB
MD50035ba75c4387f632654db37899e74a7
SHA1f2bd794e308155e56d5e9829ee229170d0b4414c
SHA2568e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a
SHA512a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exeFilesize
4.3MB
MD50035ba75c4387f632654db37899e74a7
SHA1f2bd794e308155e56d5e9829ee229170d0b4414c
SHA2568e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a
SHA512a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exeFilesize
4.3MB
MD50035ba75c4387f632654db37899e74a7
SHA1f2bd794e308155e56d5e9829ee229170d0b4414c
SHA2568e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a
SHA512a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c
-
C:\Windows\Temp\cpuz_driver_4244.logFilesize
2KB
MD54d54ea26e39e526e7d3323f13402aecc
SHA1f571b948748dce4232a74ffa093bb13a598814d9
SHA256bd24648bcb24c20db4ca7a9ce7179e1a0a9c71492d91d006dd951fd3bcabcbfa
SHA512f38192de4e1102eef70bcba101564dcff036c272b9cf57483a423bb64ccfd1892330042b9b4b452007daf6d241e448258ba1b4596040e88e9977381b7e7ffe96
-
C:\Windows\temp\cpuz_driver_4244.logFilesize
2KB
MD58c2d5575dce6ddcff8f2f9cd65e54dfb
SHA1ea1b0275aef4afb74154dd8264958b331ca41190
SHA256d3697fe634ee61a1c9b99c9fbeb079922fa15bd3b9e8919bf71b6460e5944a62
SHA51288ed55bbcd7ae50fb1024b39fadb2587de8c4aaf63f6e35d3c5d64ef2fb8d49728e62c322cafd3c90c086f5f26250138733e160613efbafc321c4ea6ebfc849e
-
memory/932-133-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/932-192-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB