Analysis

  • max time kernel
    30s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/03/2023, 08:28

Errors

Reason
Machine shutdown

General

  • Target

    GPUPI.exe

  • Size

    1.9MB

  • MD5

    2d01c4e4c808de006d4e7b1609b813ac

  • SHA1

    20ebcf75169089915b9eee4335154eb208d2eac3

  • SHA256

    0dcf7ca71284d3843f985c249755f8824ddfe73ad103e46e06e0bdedf496aa5e

  • SHA512

    9630ac8acc13aa59a3f5e8fcfc969ef7514f6c706f21be11ddfad7a529cae138e4a98e944741af8b6e313a60c153fbd451f7b573947930dc11c4942e35807e43

  • SSDEEP

    24576:s2rIanXQYe44S+X4PtbgSDC6YQsEHqMgHpKlwMiHOV+++++++rh2INMPfd:lXQYXE4JgACk8pa9iHO2h2INMd

Score
9/10

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GPUPI.exe
    "C:\Users\Admin\AppData\Local\Temp\GPUPI.exe"
    1⤵
    • Checks computer location settings
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Windows\system32\bcdedit.exe
      "C:\Windows\sysnative\bcdedit.exe" /set useplatformclock yes
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1668
    • C:\Windows\system32\bcdedit.exe
      C:\Windows\sysnative\bcdedit.exe /enum
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:2528
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3990055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3316

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3548-133-0x0000000074990000-0x0000000074CFF000-memory.dmp

          Filesize

          3.4MB

        • memory/3548-136-0x0000000074990000-0x0000000074CFF000-memory.dmp

          Filesize

          3.4MB