aba13ee2b163797ca82f78af6c35a6e3ee63c660316814b9efe4d40763129283

Resubmissions

06-04-2023 01:50

230406-b9gzvacg41 7

06-04-2023 01:46

230406-b6yhesag32 1

06-04-2023 01:43

230406-b5fafscg21 7

Analysis

max time kernel
16s
max time network
24s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cpuz_x64.exe
Size

4.4MB
MD5

052bbb4cf1736d4375cb9d33c6716f59
SHA1

a2245821a0a676b83ed42b0cbe504bf863f2fef8
SHA256

b617f63ba7afd4cdab95215bb48c7829311ef6226053ffe23f088e07068fed05
SHA512

385df99203bc7c424ad7d9a5f1b9b41ee2cb495383e51e76739e9b14a2a05124ad102583c77ad789fb1da3da19c9e4ce004eb4495bdd2bac6df977930ec4a4ff
SSDEEP

49152:TbH6EAnJD3G28reHVRYjE3TPnXELpItLc8aOm7s+TgC:TKnJD2etnXu427hTg

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cpuz_x64.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation cpuz_x64.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

cpuz_x64.exe

description ioc process

File opened for modification \??\PhysicalDrive0 cpuz_x64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cpuz_x64.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings cpuz_x64.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1524 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cpuz_x64.exe

pid process

1316 cpuz_x64.exe
1316 cpuz_x64.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cpuz_x64.exe

description pid process

Token: SeLoadDriverPrivilege 1316 cpuz_x64.exe
Token: SeLoadDriverPrivilege 1316 cpuz_x64.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cpuz_x64.exe

pid process

1316 cpuz_x64.exe
1316 cpuz_x64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	cpuz_x64.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cpuz_x64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	cpuz_x64.exe

pid	process
1524	NOTEPAD.EXE

pid	process
1316	cpuz_x64.exe
1316	cpuz_x64.exe

pid	process
656
656

description	pid	process
Token: SeLoadDriverPrivilege	1316	cpuz_x64.exe
Token: SeLoadDriverPrivilege	1316	cpuz_x64.exe

pid	process
1316	cpuz_x64.exe
1316	cpuz_x64.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cpuz_x64.exe

description	pid	process	target process
PID 1316 wrote to memory of 1524	1316	cpuz_x64.exe	NOTEPAD.EXE
PID 1316 wrote to memory of 1524	1316	cpuz_x64.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\cpuz_x64.exe
"C:\Users\Admin\AppData\Local\Temp\cpuz_x64.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_1316.log
2⤵
- Opens file in notepad (likely ransom note)
PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\cpuz_driver_1316.log
Filesize
2KB

MD5
597f360c99f7a481a551db077323d379

SHA1
9f3cc2611b55097ba1cb036f67bbad4bf007075a

SHA256
0d3a1bbe0bc861e47637044e8f3ea4ae8aea88d04409af9f4052f622ca34f1a1

SHA512
cea724a1a27c33b1347587cfb88ef18a5bef28fa81dcca20447d23814a0bc762ea4257a868f8e91f8dbc1345f612fe64aa1c05920f2076637a4d6dd5f040d940

Download Submit
C:\Windows\temp\cpuz_driver_1316.log
Filesize
2KB

MD5
439f7fc06e53ccc129df6968898c9ec7

SHA1
bd89ee30bdcc221268d981d3f14350e7c916f174

SHA256
a9dcffccb2ce96c7ca3d70802fdba3437e78623f5b1c41e73478cf260fecb5fe

SHA512
8fc4dd2821b1e4705ae35601a10a0f0f7eea931afd16957bcb8b16c52d6e8f84e5045f5eff2dde2fe7491e8cbd0de85c1c66d57017444ceb207b8f1e2ddfe45a

Download Submit