Malware Analysis Report

2025-08-05 17:08

Sample ID 230331-kc6flsad6t
Target gpupi_3.3.2_legacy.zip
SHA256 cc46b457880a2ce803e699cbe396da1187ad20e2588dce400bb3ff05ed1e1bb5
Tags
evasion ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

cc46b457880a2ce803e699cbe396da1187ad20e2588dce400bb3ff05ed1e1bb5

Threat Level: Likely malicious

The file gpupi_3.3.2_legacy.zip was found to be: Likely malicious.

Malicious Activity Summary

evasion ransomware

Modifies boot configuration data using bcdedit

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Program crash

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-31 08:28

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-31 08:28

Reported

2023-03-31 08:35

Platform

win10v2004-20230220-en

Max time kernel

54s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GPUPI-CLI.exe"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\GPUPI-CLI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\GPUPI-CLI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GPUPI-CLI.exe

"C:\Users\Admin\AppData\Local\Temp\GPUPI-CLI.exe"

Network

Country Destination Domain Proto
NL 88.221.25.155:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 52.182.143.208:443 tcp
NL 88.221.25.155:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp

Files

memory/2360-133-0x0000000074960000-0x0000000074CCF000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-03-31 08:28

Reported

2023-03-31 08:35

Platform

win7-20230220-en

Max time kernel

28s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GPUPI.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GPUPI.exe

"C:\Users\Admin\AppData\Local\Temp\GPUPI.exe"

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-03-31 08:28

Reported

2023-03-31 08:35

Platform

win7-20230220-en

Max time kernel

31s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HWiNFO32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 1956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 1956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 1956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 1956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 1956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 1956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 1956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HWiNFO32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HWiNFO32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-03-31 08:28

Reported

2023-03-31 08:35

Platform

win10v2004-20230220-en

Max time kernel

123s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HWiNFO32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4448 wrote to memory of 1424 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4448 wrote to memory of 1424 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4448 wrote to memory of 1424 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HWiNFO32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HWiNFO32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 117.18.232.240:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FR 40.79.141.153:443 tcp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

memory/1424-133-0x00000000749E0000-0x0000000074D4F000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-03-31 08:28

Reported

2023-03-31 08:35

Platform

win7-20230220-en

Max time kernel

31s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cudart32_65.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cudart32_65.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cudart32_65.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 224

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-31 08:28

Reported

2023-03-31 08:35

Platform

win7-20230220-en

Max time kernel

29s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GPUPI-CLI.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GPUPI-CLI.exe

"C:\Users\Admin\AppData\Local\Temp\GPUPI-CLI.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-03-31 08:28

Reported

2023-03-31 08:33

Platform

win10v2004-20230220-en

Max time kernel

30s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GPUPI.exe"

Signatures

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GPUPI.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\GPUPI.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\GPUPI.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GPUPI.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3548 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\GPUPI.exe C:\Windows\system32\bcdedit.exe
PID 3548 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\GPUPI.exe C:\Windows\system32\bcdedit.exe
PID 3548 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\GPUPI.exe C:\Windows\system32\bcdedit.exe
PID 3548 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\GPUPI.exe C:\Windows\system32\bcdedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\GPUPI.exe

"C:\Users\Admin\AppData\Local\Temp\GPUPI.exe"

C:\Windows\system32\bcdedit.exe

"C:\Windows\sysnative\bcdedit.exe" /set useplatformclock yes

C:\Windows\system32\bcdedit.exe

C:\Windows\sysnative\bcdedit.exe /enum

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3990055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 209.197.3.8:80 tcp
US 104.208.16.89:443 tcp
US 104.208.16.89:443 tcp

Files

memory/3548-133-0x0000000074990000-0x0000000074CFF000-memory.dmp

memory/3548-136-0x0000000074990000-0x0000000074CFF000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2023-03-31 08:28

Reported

2023-03-31 08:35

Platform

win10v2004-20230220-en

Max time kernel

84s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cudart32_65.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 1008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 1008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 1008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cudart32_65.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cudart32_65.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1008 -ip 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 5.233.140.95.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp

Files

N/A