57d8256a6c6a510470583bba4569269b7125e131c17dca0954c09261f4cae042

Analysis

max time kernel
54s
max time network
57s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-03-2023 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cpu-z_2.04-cn.exe
Size

2.1MB
MD5

c6991216bb74a500d66446f4b8f73f8f
SHA1

6a7cdaa8877cb4ecfde6a61621f647ee846cce8a
SHA256

57d8256a6c6a510470583bba4569269b7125e131c17dca0954c09261f4cae042
SHA512

562df759cc324e2cb25acbd856bbe0c61045909a45cede4bfa4a1b8a21e95c85440f987f5e3dcf9b165bf4175fa4ee89062a227ad8eb051f1df723f211b24ec3
SSDEEP

49152:SyhgH6UQ/t5Jr/zrkQDXFmmuEcXB3cgvBBTPcw0Lj11am:D+H6UQV5JrLFbFmmunXt3zETLj11Z

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

cpu-z_2.04-cn.tmp_setup64.tmpcpuz.exe

pid process

1604 cpu-z_2.04-cn.tmp
1116 _setup64.tmp
748 cpuz.exe
Loads dropped DLL 10 IoCs

Processes:

cpu-z_2.04-cn.execpu-z_2.04-cn.tmp

pid process

1888 cpu-z_2.04-cn.exe
1604 cpu-z_2.04-cn.tmp
1604 cpu-z_2.04-cn.tmp
1604 cpu-z_2.04-cn.tmp
1604 cpu-z_2.04-cn.tmp
1368
1368
1368
1368
1368
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

cpuz.exe

description ioc process

File opened for modification \??\PhysicalDrive0 cpuz.exe

pid	process
1604	cpu-z_2.04-cn.tmp
1116	_setup64.tmp
748	cpuz.exe

pid	process
1888	cpu-z_2.04-cn.exe
1604	cpu-z_2.04-cn.tmp
1604	cpu-z_2.04-cn.tmp
1604	cpu-z_2.04-cn.tmp
1604	cpu-z_2.04-cn.tmp
1368
1368
1368
1368
1368

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cpuz.exe

Drops file in Program Files directory 8 IoCs

Processes:

cpu-z_2.04-cn.tmp

description	ioc	process
File opened for modification	C:\Program Files\CPUID\CPU-Z\unins000.dat	cpu-z_2.04-cn.tmp
File opened for modification	C:\Program Files\CPUID\CPU-Z\cpuz.exe	cpu-z_2.04-cn.tmp
File created	C:\Program Files\CPUID\CPU-Z\unins000.dat	cpu-z_2.04-cn.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-AQURR.tmp	cpu-z_2.04-cn.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-E9D36.tmp	cpu-z_2.04-cn.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-BK3G5.tmp	cpu-z_2.04-cn.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-M67Q8.tmp	cpu-z_2.04-cn.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-K1AR0.tmp	cpu-z_2.04-cn.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1728 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cpu-z_2.04-cn.tmpcpuz.exe

pid process

1604 cpu-z_2.04-cn.tmp
1604 cpu-z_2.04-cn.tmp
748 cpuz.exe
748 cpuz.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

460
460
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cpuz.exe

description pid process

Token: SeLoadDriverPrivilege 748 cpuz.exe
Token: SeLoadDriverPrivilege 748 cpuz.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

cpu-z_2.04-cn.tmp

pid process

1604 cpu-z_2.04-cn.tmp
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cpuz.exe

pid process

748 cpuz.exe
748 cpuz.exe

pid	process
1728	NOTEPAD.EXE

pid	process
1604	cpu-z_2.04-cn.tmp
1604	cpu-z_2.04-cn.tmp
748	cpuz.exe
748	cpuz.exe

pid	process
460
460

description	pid	process
Token: SeLoadDriverPrivilege	748	cpuz.exe
Token: SeLoadDriverPrivilege	748	cpuz.exe

pid	process
1604	cpu-z_2.04-cn.tmp

pid	process
748	cpuz.exe
748	cpuz.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cpu-z_2.04-cn.execpu-z_2.04-cn.tmpcpuz.exe

description	pid	process	target process
PID 1888 wrote to memory of 1604	1888	cpu-z_2.04-cn.exe	cpu-z_2.04-cn.tmp
PID 1888 wrote to memory of 1604	1888	cpu-z_2.04-cn.exe	cpu-z_2.04-cn.tmp
PID 1888 wrote to memory of 1604	1888	cpu-z_2.04-cn.exe	cpu-z_2.04-cn.tmp
PID 1888 wrote to memory of 1604	1888	cpu-z_2.04-cn.exe	cpu-z_2.04-cn.tmp
PID 1888 wrote to memory of 1604	1888	cpu-z_2.04-cn.exe	cpu-z_2.04-cn.tmp
PID 1888 wrote to memory of 1604	1888	cpu-z_2.04-cn.exe	cpu-z_2.04-cn.tmp
PID 1888 wrote to memory of 1604	1888	cpu-z_2.04-cn.exe	cpu-z_2.04-cn.tmp
PID 1604 wrote to memory of 1116	1604	cpu-z_2.04-cn.tmp	_setup64.tmp
PID 1604 wrote to memory of 1116	1604	cpu-z_2.04-cn.tmp	_setup64.tmp
PID 1604 wrote to memory of 1116	1604	cpu-z_2.04-cn.tmp	_setup64.tmp
PID 1604 wrote to memory of 1116	1604	cpu-z_2.04-cn.tmp	_setup64.tmp
PID 1604 wrote to memory of 1756	1604	cpu-z_2.04-cn.tmp	NOTEPAD.EXE
PID 1604 wrote to memory of 1756	1604	cpu-z_2.04-cn.tmp	NOTEPAD.EXE
PID 1604 wrote to memory of 1756	1604	cpu-z_2.04-cn.tmp	NOTEPAD.EXE
PID 1604 wrote to memory of 1756	1604	cpu-z_2.04-cn.tmp	NOTEPAD.EXE
PID 748 wrote to memory of 1728	748	cpuz.exe	NOTEPAD.EXE
PID 748 wrote to memory of 1728	748	cpuz.exe	NOTEPAD.EXE
PID 748 wrote to memory of 1728	748	cpuz.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\cpu-z_2.04-cn.exe
"C:\Users\Admin\AppData\Local\Temp\cpu-z_2.04-cn.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\is-V2CNV.tmp\cpu-z_2.04-cn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V2CNV.tmp\cpu-z_2.04-cn.tmp" /SL5="$60156,1876818,58368,C:\Users\Admin\AppData\Local\Temp\cpu-z_2.04-cn.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\is-U63VR.tmp\_isetup\_setup64.tmp
helper 105 0x200
3⤵
- Executes dropped EXE
PID:1116

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\CPUID\CPU-Z\cpuz_readme.txt
3⤵
PID:1756

C:\Program Files\CPUID\CPU-Z\cpuz.exe
"C:\Program Files\CPUID\CPU-Z\cpuz.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_748.log
2⤵
- Opens file in notepad (likely ransom note)
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.3MB

MD5
651622861cf8e072507f106b8b355590

SHA1
58bb4765d1e083f98188f61cf79df9abe8299495

SHA256
b296d21fe5a2693f0241aab4332cdcba292cbb4a30b47892ccc9a3427a7aed40

SHA512
61c85a8611e98a9f51cd7f6d71b712b2da49d9afdc6e8ae4fa2d0c3db92437d088fc35575762d262e794aab189dd4f8cd530827d6d55cb8fdfc785c5cfb2dab6

Download Submit
C:\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.3MB

MD5
651622861cf8e072507f106b8b355590

SHA1
58bb4765d1e083f98188f61cf79df9abe8299495

SHA256
b296d21fe5a2693f0241aab4332cdcba292cbb4a30b47892ccc9a3427a7aed40

SHA512
61c85a8611e98a9f51cd7f6d71b712b2da49d9afdc6e8ae4fa2d0c3db92437d088fc35575762d262e794aab189dd4f8cd530827d6d55cb8fdfc785c5cfb2dab6

Download Submit
C:\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.3MB

MD5
651622861cf8e072507f106b8b355590

SHA1
58bb4765d1e083f98188f61cf79df9abe8299495

SHA256
b296d21fe5a2693f0241aab4332cdcba292cbb4a30b47892ccc9a3427a7aed40

SHA512
61c85a8611e98a9f51cd7f6d71b712b2da49d9afdc6e8ae4fa2d0c3db92437d088fc35575762d262e794aab189dd4f8cd530827d6d55cb8fdfc785c5cfb2dab6

Download Submit
C:\Program Files\CPUID\CPU-Z\cpuz.ini
Filesize
546B

MD5
e9a0b7ec9af26422f087a093b2121a5f

SHA1
bca2bad972ebfabccf3767bb97472ace81b8aabe

SHA256
991de8e7502d49c625669791dfa922c5ba67d17ce1cda0d6bd5496a90478e4f3

SHA512
5cff10383a893bbe7998edd22f810beeb868120eafd07f85817dfc308362fb157ce36d1ef3914fbd0cd4f83ab0a14d78835a9df2a673b055632429b1319cc34a

Download Submit
C:\Program Files\CPUID\CPU-Z\cpuz_readme.txt
Filesize
34KB

MD5
86272670f314ea4b0fd4436a9444f591

SHA1
9dd899a622675d39cb6220eb948809a7d1499d54

SHA256
e4ec175b690ec0a8b50cf30199f0e1c3b4d283433cd73596cdc3dd188ab8109b

SHA512
04a055658e71f0dadf0d7fe2b78d5d7f753b1e68ac354b2532cdfa2e7611fc0bb6af02bd0a5563db69ef31283410098df2c9ea3038aa631d3723ac17687f9a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U63VR.tmp\_isetup\_setup64.tmp
Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V2CNV.tmp\cpu-z_2.04-cn.tmp
Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V2CNV.tmp\cpu-z_2.04-cn.tmp
Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
C:\Windows\temp\cpuz_driver_748.log
Filesize
2KB

MD5
6721a85cdffd482cb23c5c0460af989b

SHA1
09db8527e273f0011e2669c422fdd578167aaa4f

SHA256
22345ba703b2821ad60325ec1b900c1bb79a231451ec0022834ebbd55cb03f00

SHA512
1b077723e65e3d850b37e989199efcdfe63cf5932d67e022716bb22ebdd9c4d5d482ee8877d91ab35341eef14eaf74b490b95c8e458a1e3eb41ebda9a4ad96ef

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.3MB

MD5
651622861cf8e072507f106b8b355590

SHA1
58bb4765d1e083f98188f61cf79df9abe8299495

SHA256
b296d21fe5a2693f0241aab4332cdcba292cbb4a30b47892ccc9a3427a7aed40

SHA512
61c85a8611e98a9f51cd7f6d71b712b2da49d9afdc6e8ae4fa2d0c3db92437d088fc35575762d262e794aab189dd4f8cd530827d6d55cb8fdfc785c5cfb2dab6

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.3MB

MD5
651622861cf8e072507f106b8b355590

SHA1
58bb4765d1e083f98188f61cf79df9abe8299495

SHA256
b296d21fe5a2693f0241aab4332cdcba292cbb4a30b47892ccc9a3427a7aed40

SHA512
61c85a8611e98a9f51cd7f6d71b712b2da49d9afdc6e8ae4fa2d0c3db92437d088fc35575762d262e794aab189dd4f8cd530827d6d55cb8fdfc785c5cfb2dab6

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.3MB

MD5
651622861cf8e072507f106b8b355590

SHA1
58bb4765d1e083f98188f61cf79df9abe8299495

SHA256
b296d21fe5a2693f0241aab4332cdcba292cbb4a30b47892ccc9a3427a7aed40

SHA512
61c85a8611e98a9f51cd7f6d71b712b2da49d9afdc6e8ae4fa2d0c3db92437d088fc35575762d262e794aab189dd4f8cd530827d6d55cb8fdfc785c5cfb2dab6

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.3MB

MD5
651622861cf8e072507f106b8b355590

SHA1
58bb4765d1e083f98188f61cf79df9abe8299495

SHA256
b296d21fe5a2693f0241aab4332cdcba292cbb4a30b47892ccc9a3427a7aed40

SHA512
61c85a8611e98a9f51cd7f6d71b712b2da49d9afdc6e8ae4fa2d0c3db92437d088fc35575762d262e794aab189dd4f8cd530827d6d55cb8fdfc785c5cfb2dab6

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.3MB

MD5
651622861cf8e072507f106b8b355590

SHA1
58bb4765d1e083f98188f61cf79df9abe8299495

SHA256
b296d21fe5a2693f0241aab4332cdcba292cbb4a30b47892ccc9a3427a7aed40

SHA512
61c85a8611e98a9f51cd7f6d71b712b2da49d9afdc6e8ae4fa2d0c3db92437d088fc35575762d262e794aab189dd4f8cd530827d6d55cb8fdfc785c5cfb2dab6

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.3MB

MD5
651622861cf8e072507f106b8b355590

SHA1
58bb4765d1e083f98188f61cf79df9abe8299495

SHA256
b296d21fe5a2693f0241aab4332cdcba292cbb4a30b47892ccc9a3427a7aed40

SHA512
61c85a8611e98a9f51cd7f6d71b712b2da49d9afdc6e8ae4fa2d0c3db92437d088fc35575762d262e794aab189dd4f8cd530827d6d55cb8fdfc785c5cfb2dab6

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.3MB

MD5
651622861cf8e072507f106b8b355590

SHA1
58bb4765d1e083f98188f61cf79df9abe8299495

SHA256
b296d21fe5a2693f0241aab4332cdcba292cbb4a30b47892ccc9a3427a7aed40

SHA512
61c85a8611e98a9f51cd7f6d71b712b2da49d9afdc6e8ae4fa2d0c3db92437d088fc35575762d262e794aab189dd4f8cd530827d6d55cb8fdfc785c5cfb2dab6

Download Submit
\Program Files\CPUID\CPU-Z\unins000.exe
Filesize
709KB

MD5
729a11d633d7bd210e22880e8f56195e

SHA1
cb90c254bc18f9cc2629aefe6afcfaeea0757d1a

SHA256
608b9a316381a4e4ad1fcd014ffc089ada3e9a16738537911e4b48bd1efee116

SHA512
d2e13abd7bfe9ced78b8d3dc6516319b0902721ad5dcc3c886de59473952d2956d1576ff311c68389438738e39a48e2d9e866be9fc48267be31e80ebbb034b00

Download Submit
\Users\Admin\AppData\Local\Temp\is-U63VR.tmp\_isetup\_setup64.tmp
Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
\Users\Admin\AppData\Local\Temp\is-V2CNV.tmp\cpu-z_2.04-cn.tmp
Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
memory/1604-64-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1604-102-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1604-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1888-63-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1888-103-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1888-54-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download