Resubmissions
06-04-2023 01:50
230406-b9gzvacg41 706-04-2023 01:46
230406-b6yhesag32 106-04-2023 01:43
230406-b5fafscg21 7Analysis
-
max time kernel
16s -
max time network
24s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2023 01:43
Static task
static1
Behavioral task
behavioral1
Sample
cpuz_x64.exe
Resource
win10v2004-20230220-en
General
-
Target
cpuz_x64.exe
-
Size
4.4MB
-
MD5
052bbb4cf1736d4375cb9d33c6716f59
-
SHA1
a2245821a0a676b83ed42b0cbe504bf863f2fef8
-
SHA256
b617f63ba7afd4cdab95215bb48c7829311ef6226053ffe23f088e07068fed05
-
SHA512
385df99203bc7c424ad7d9a5f1b9b41ee2cb495383e51e76739e9b14a2a05124ad102583c77ad789fb1da3da19c9e4ce004eb4495bdd2bac6df977930ec4a4ff
-
SSDEEP
49152:TbH6EAnJD3G28reHVRYjE3TPnXELpItLc8aOm7s+TgC:TKnJD2etnXu427hTg
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cpuz_x64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation cpuz_x64.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
cpuz_x64.exedescription ioc process File opened for modification \??\PhysicalDrive0 cpuz_x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cpuz_x64.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings cpuz_x64.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1524 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cpuz_x64.exepid process 1316 cpuz_x64.exe 1316 cpuz_x64.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cpuz_x64.exedescription pid process Token: SeLoadDriverPrivilege 1316 cpuz_x64.exe Token: SeLoadDriverPrivilege 1316 cpuz_x64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cpuz_x64.exepid process 1316 cpuz_x64.exe 1316 cpuz_x64.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cpuz_x64.exedescription pid process target process PID 1316 wrote to memory of 1524 1316 cpuz_x64.exe NOTEPAD.EXE PID 1316 wrote to memory of 1524 1316 cpuz_x64.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\cpuz_x64.exe"C:\Users\Admin\AppData\Local\Temp\cpuz_x64.exe"1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_1316.log2⤵
- Opens file in notepad (likely ransom note)
PID:1524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\cpuz_driver_1316.logFilesize
2KB
MD5597f360c99f7a481a551db077323d379
SHA19f3cc2611b55097ba1cb036f67bbad4bf007075a
SHA2560d3a1bbe0bc861e47637044e8f3ea4ae8aea88d04409af9f4052f622ca34f1a1
SHA512cea724a1a27c33b1347587cfb88ef18a5bef28fa81dcca20447d23814a0bc762ea4257a868f8e91f8dbc1345f612fe64aa1c05920f2076637a4d6dd5f040d940
-
C:\Windows\temp\cpuz_driver_1316.logFilesize
2KB
MD5439f7fc06e53ccc129df6968898c9ec7
SHA1bd89ee30bdcc221268d981d3f14350e7c916f174
SHA256a9dcffccb2ce96c7ca3d70802fdba3437e78623f5b1c41e73478cf260fecb5fe
SHA5128fc4dd2821b1e4705ae35601a10a0f0f7eea931afd16957bcb8b16c52d6e8f84e5045f5eff2dde2fe7491e8cbd0de85c1c66d57017444ceb207b8f1e2ddfe45a