Analysis
-
max time kernel
30s -
max time network
40s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31/03/2023, 08:28
Static task
static1
Behavioral task
behavioral1
Sample
GPUPI-CLI.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
GPUPI-CLI.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
GPUPI.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
GPUPI.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
HWiNFO32.dll
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
HWiNFO32.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
cudart32_65.dll
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
cudart32_65.dll
Resource
win10v2004-20230220-en
Errors
General
-
Target
GPUPI.exe
-
Size
1.9MB
-
MD5
2d01c4e4c808de006d4e7b1609b813ac
-
SHA1
20ebcf75169089915b9eee4335154eb208d2eac3
-
SHA256
0dcf7ca71284d3843f985c249755f8824ddfe73ad103e46e06e0bdedf496aa5e
-
SHA512
9630ac8acc13aa59a3f5e8fcfc969ef7514f6c706f21be11ddfad7a529cae138e4a98e944741af8b6e313a60c153fbd451f7b573947930dc11c4942e35807e43
-
SSDEEP
24576:s2rIanXQYe44S+X4PtbgSDC6YQsEHqMgHpKlwMiHOV+++++++rh2INMPfd:lXQYXE4JgACk8pa9iHO2h2INMd
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1668 bcdedit.exe 2528 bcdedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation GPUPI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz GPUPI.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GPUPI.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 3548 GPUPI.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3316 LogonUI.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3548 wrote to memory of 1668 3548 GPUPI.exe 88 PID 3548 wrote to memory of 1668 3548 GPUPI.exe 88 PID 3548 wrote to memory of 2528 3548 GPUPI.exe 91 PID 3548 wrote to memory of 2528 3548 GPUPI.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\GPUPI.exe"C:\Users\Admin\AppData\Local\Temp\GPUPI.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\system32\bcdedit.exe"C:\Windows\sysnative\bcdedit.exe" /set useplatformclock yes2⤵
- Modifies boot configuration data using bcdedit
PID:1668
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\sysnative\bcdedit.exe /enum2⤵
- Modifies boot configuration data using bcdedit
PID:2528
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3990055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3316