566194645fc1906d1febbe81cb2b2483e05a5f69fb811abacab94096eb14002d

Analysis

max time kernel
145s
max time network
65s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-04-2023 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cpu-z_2.05-en.exe
Size

2.1MB
MD5

0c82a6ec88b18923aa205d07a7b5dc7e
SHA1

cfbe8cffe337910e4236fa3850578fd25adf5105
SHA256

566194645fc1906d1febbe81cb2b2483e05a5f69fb811abacab94096eb14002d
SHA512

f97c378495a8b91c086b8344cd5ed65c2515f6f217b0544b0fa6cad4841b96388d699131024c58cc552d9fd4350ff334db9715e4c4b5b4a8ae32c9db48bba0cd
SSDEEP

49152:2ya59bSX+688OO/wi07aESSsNMrmU7G9h4yUBtAN4c3nR1a+:XaPbSjB/wt7ISxrmUy8yqtANlR1/

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

cpu-z_2.05-en.tmp_setup64.tmpcpuz.exe

pid process

1696 cpu-z_2.05-en.tmp
1196 _setup64.tmp
1048 cpuz.exe
Loads dropped DLL 9 IoCs

Processes:

cpu-z_2.05-en.execpu-z_2.05-en.tmp

pid process

920 cpu-z_2.05-en.exe
1696 cpu-z_2.05-en.tmp
1696 cpu-z_2.05-en.tmp
1696 cpu-z_2.05-en.tmp
1696 cpu-z_2.05-en.tmp
1272
1272
1272
1272
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

cpuz.exe

description ioc process

File opened for modification \??\PhysicalDrive0 cpuz.exe

pid	process
1696	cpu-z_2.05-en.tmp
1196	_setup64.tmp
1048	cpuz.exe

pid	process
920	cpu-z_2.05-en.exe
1696	cpu-z_2.05-en.tmp
1696	cpu-z_2.05-en.tmp
1696	cpu-z_2.05-en.tmp
1696	cpu-z_2.05-en.tmp
1272
1272
1272
1272

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cpuz.exe

Drops file in Program Files directory 8 IoCs

Processes:

cpu-z_2.05-en.tmp

description	ioc	process
File created	C:\Program Files\CPUID\CPU-Z\is-3ON96.tmp	cpu-z_2.05-en.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-96UUL.tmp	cpu-z_2.05-en.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-64BL9.tmp	cpu-z_2.05-en.tmp
File opened for modification	C:\Program Files\CPUID\CPU-Z\unins000.dat	cpu-z_2.05-en.tmp
File opened for modification	C:\Program Files\CPUID\CPU-Z\cpuz.exe	cpu-z_2.05-en.tmp
File created	C:\Program Files\CPUID\CPU-Z\unins000.dat	cpu-z_2.05-en.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-76PCB.tmp	cpu-z_2.05-en.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-K5MUU.tmp	cpu-z_2.05-en.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

cpu-z_2.05-en.tmpcpuz.exe

pid process

1696 cpu-z_2.05-en.tmp
1696 cpu-z_2.05-en.tmp
1048 cpuz.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

468
468
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cpuz.exe

description pid process

Token: SeLoadDriverPrivilege 1048 cpuz.exe
Token: SeLoadDriverPrivilege 1048 cpuz.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

cpu-z_2.05-en.tmp

pid process

1696 cpu-z_2.05-en.tmp
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cpuz.exe

pid process

1048 cpuz.exe
1048 cpuz.exe

pid	process
1696	cpu-z_2.05-en.tmp
1696	cpu-z_2.05-en.tmp
1048	cpuz.exe

pid	process
468
468

description	pid	process
Token: SeLoadDriverPrivilege	1048	cpuz.exe
Token: SeLoadDriverPrivilege	1048	cpuz.exe

pid	process
1696	cpu-z_2.05-en.tmp

pid	process
1048	cpuz.exe
1048	cpuz.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cpu-z_2.05-en.execpu-z_2.05-en.tmp

description	pid	process	target process
PID 920 wrote to memory of 1696	920	cpu-z_2.05-en.exe	cpu-z_2.05-en.tmp
PID 920 wrote to memory of 1696	920	cpu-z_2.05-en.exe	cpu-z_2.05-en.tmp
PID 920 wrote to memory of 1696	920	cpu-z_2.05-en.exe	cpu-z_2.05-en.tmp
PID 920 wrote to memory of 1696	920	cpu-z_2.05-en.exe	cpu-z_2.05-en.tmp
PID 920 wrote to memory of 1696	920	cpu-z_2.05-en.exe	cpu-z_2.05-en.tmp
PID 920 wrote to memory of 1696	920	cpu-z_2.05-en.exe	cpu-z_2.05-en.tmp
PID 920 wrote to memory of 1696	920	cpu-z_2.05-en.exe	cpu-z_2.05-en.tmp
PID 1696 wrote to memory of 1196	1696	cpu-z_2.05-en.tmp	_setup64.tmp
PID 1696 wrote to memory of 1196	1696	cpu-z_2.05-en.tmp	_setup64.tmp
PID 1696 wrote to memory of 1196	1696	cpu-z_2.05-en.tmp	_setup64.tmp
PID 1696 wrote to memory of 1196	1696	cpu-z_2.05-en.tmp	_setup64.tmp
PID 1696 wrote to memory of 1892	1696	cpu-z_2.05-en.tmp	NOTEPAD.EXE
PID 1696 wrote to memory of 1892	1696	cpu-z_2.05-en.tmp	NOTEPAD.EXE
PID 1696 wrote to memory of 1892	1696	cpu-z_2.05-en.tmp	NOTEPAD.EXE
PID 1696 wrote to memory of 1892	1696	cpu-z_2.05-en.tmp	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\cpu-z_2.05-en.exe
"C:\Users\Admin\AppData\Local\Temp\cpu-z_2.05-en.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\Temp\is-SUA0L.tmp\cpu-z_2.05-en.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SUA0L.tmp\cpu-z_2.05-en.tmp" /SL5="$80124,1887873,58368,C:\Users\Admin\AppData\Local\Temp\cpu-z_2.05-en.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\is-6E6R3.tmp\_isetup\_setup64.tmp
helper 105 0x200
3⤵
- Executes dropped EXE
PID:1196

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\CPUID\CPU-Z\cpuz_readme.txt
3⤵
PID:1892

C:\Program Files\CPUID\CPU-Z\cpuz.exe
"C:\Program Files\CPUID\CPU-Z\cpuz.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.4MB

MD5
d72cbc48531c7c5a92d4b9166622f170

SHA1
6d8b3087d0604662bae003337760120618e4be20

SHA256
52c0d33bc392b9a47aae67b6e8eba25b00f5e821c656dfebabdae989447d0053

SHA512
08ac096425834cc98befcd2de45d5a6e0d6b54c693c136be81f87a446ef910e1527be73bfddfd009b9e9f9aee05e50c9c4fd099ef4319bf0c7d3fb378eada886

Download Submit
C:\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.4MB

MD5
d72cbc48531c7c5a92d4b9166622f170

SHA1
6d8b3087d0604662bae003337760120618e4be20

SHA256
52c0d33bc392b9a47aae67b6e8eba25b00f5e821c656dfebabdae989447d0053

SHA512
08ac096425834cc98befcd2de45d5a6e0d6b54c693c136be81f87a446ef910e1527be73bfddfd009b9e9f9aee05e50c9c4fd099ef4319bf0c7d3fb378eada886

Download Submit
C:\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.4MB

MD5
d72cbc48531c7c5a92d4b9166622f170

SHA1
6d8b3087d0604662bae003337760120618e4be20

SHA256
52c0d33bc392b9a47aae67b6e8eba25b00f5e821c656dfebabdae989447d0053

SHA512
08ac096425834cc98befcd2de45d5a6e0d6b54c693c136be81f87a446ef910e1527be73bfddfd009b9e9f9aee05e50c9c4fd099ef4319bf0c7d3fb378eada886

Download Submit
C:\Program Files\CPUID\CPU-Z\cpuz.ini
Filesize
610B

MD5
f25b176c1cda130f5d02732cefdc4afe

SHA1
895f52b83d1f8d4fa2b0f52e5e3a3165df07cfaa

SHA256
5f2c0ac107d9fcc3db407d1740460c08f8855224931cbf00ec0c1b7430e2e7eb

SHA512
b427eaffe9b3f062d22d51c28894b024e73a1e586bd6773b416794deea9fa50b21767716b1e86a5560c4286e0f1a69a47b9e969edcb65c800f5852fe455f03de

Download Submit
C:\Program Files\CPUID\CPU-Z\cpuz_readme.txt
Filesize
34KB

MD5
2eb35ea69faf3cd6afa084a45856670d

SHA1
7e23a655d4fc36d867ecc06b47f39d812d07f62f

SHA256
cac42f52c6b95c3a5fe011a080d645e0ade909a4a77966f9b98046f2c7592401

SHA512
f13c4422e63d29dbe9e1fbd19858c256a6172df247ddd555caca310bada8a4a90d5f8ed8240307f397a2fc8bc1634567cbf63828a9864c4085abee9d2d1819c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6E6R3.tmp\_isetup\_setup64.tmp
Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SUA0L.tmp\cpu-z_2.05-en.tmp
Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SUA0L.tmp\cpu-z_2.05-en.tmp
Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
C:\Windows\Temp\cpuz_driver_1048.log
Filesize
417B

MD5
8bd622c1c4e88662b02e8b53188f47e6

SHA1
773b00a7121e10ffbd2f6c5f0be3d5610fd7ca04

SHA256
3ff82e1da9b7a3473e8293d2c80d5bb5c34f830e6746fe6ccec6e1f678996a56

SHA512
05bdb668f8db5af680bab8208b3a28595fc14bb291002c51c3ccaeda337a4a5513e9210049fb7b311e884ddb10a381f9a3fd1370eb1730031d7400bb01e26b1d

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.4MB

MD5
d72cbc48531c7c5a92d4b9166622f170

SHA1
6d8b3087d0604662bae003337760120618e4be20

SHA256
52c0d33bc392b9a47aae67b6e8eba25b00f5e821c656dfebabdae989447d0053

SHA512
08ac096425834cc98befcd2de45d5a6e0d6b54c693c136be81f87a446ef910e1527be73bfddfd009b9e9f9aee05e50c9c4fd099ef4319bf0c7d3fb378eada886

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.4MB

MD5
d72cbc48531c7c5a92d4b9166622f170

SHA1
6d8b3087d0604662bae003337760120618e4be20

SHA256
52c0d33bc392b9a47aae67b6e8eba25b00f5e821c656dfebabdae989447d0053

SHA512
08ac096425834cc98befcd2de45d5a6e0d6b54c693c136be81f87a446ef910e1527be73bfddfd009b9e9f9aee05e50c9c4fd099ef4319bf0c7d3fb378eada886

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.4MB

MD5
d72cbc48531c7c5a92d4b9166622f170

SHA1
6d8b3087d0604662bae003337760120618e4be20

SHA256
52c0d33bc392b9a47aae67b6e8eba25b00f5e821c656dfebabdae989447d0053

SHA512
08ac096425834cc98befcd2de45d5a6e0d6b54c693c136be81f87a446ef910e1527be73bfddfd009b9e9f9aee05e50c9c4fd099ef4319bf0c7d3fb378eada886

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.4MB

MD5
d72cbc48531c7c5a92d4b9166622f170

SHA1
6d8b3087d0604662bae003337760120618e4be20

SHA256
52c0d33bc392b9a47aae67b6e8eba25b00f5e821c656dfebabdae989447d0053

SHA512
08ac096425834cc98befcd2de45d5a6e0d6b54c693c136be81f87a446ef910e1527be73bfddfd009b9e9f9aee05e50c9c4fd099ef4319bf0c7d3fb378eada886

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.4MB

MD5
d72cbc48531c7c5a92d4b9166622f170

SHA1
6d8b3087d0604662bae003337760120618e4be20

SHA256
52c0d33bc392b9a47aae67b6e8eba25b00f5e821c656dfebabdae989447d0053

SHA512
08ac096425834cc98befcd2de45d5a6e0d6b54c693c136be81f87a446ef910e1527be73bfddfd009b9e9f9aee05e50c9c4fd099ef4319bf0c7d3fb378eada886

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe
Filesize
4.4MB

MD5
d72cbc48531c7c5a92d4b9166622f170

SHA1
6d8b3087d0604662bae003337760120618e4be20

SHA256
52c0d33bc392b9a47aae67b6e8eba25b00f5e821c656dfebabdae989447d0053

SHA512
08ac096425834cc98befcd2de45d5a6e0d6b54c693c136be81f87a446ef910e1527be73bfddfd009b9e9f9aee05e50c9c4fd099ef4319bf0c7d3fb378eada886

Download Submit
\Program Files\CPUID\CPU-Z\unins000.exe
Filesize
713KB

MD5
d1c46c8fc337c9c4cbab797137939d53

SHA1
c7fca9d35fff8db9e2b1da7a7ceeb2ab2bdca283

SHA256
798eecebb059f2c27383816be38a2e8ee9a2f05eabd2028fb8d7bcda58caa597

SHA512
5b87b887f09dfd7ccda277168179e7b19a9ad15b09924f081cf45a0a7008fcbc3c1e7cc9d5b278d5463a3be9a1175dc35c1759efcc300ce19ec32e92381acf62

Download Submit
\Users\Admin\AppData\Local\Temp\is-6E6R3.tmp\_isetup\_setup64.tmp
Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
\Users\Admin\AppData\Local\Temp\is-SUA0L.tmp\cpu-z_2.05-en.tmp
Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
memory/920-54-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/920-105-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/920-63-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1696-66-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1696-104-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1696-64-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1696-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download