Overview

overview

7

Static

static

1

cpuz.ini

windows7-x64

5

cpuz.ini

windows10-2004-x64

5

cpuz_x64.exe

windows7-x64

6

cpuz_x64.exe

windows10-2004-x64

7

Resubmissions

06-04-2023 01:50

230406-b9gzvacg41 7

06-04-2023 01:46

230406-b6yhesag32 1

06-04-2023 01:43

230406-b5fafscg21 7

Analysis

  • max time kernel
    879s
  • max time network
    921s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-04-2023 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cpuz.ini

  • Size

    528B

  • MD5

    4b4a459f630652c3e7012d0ea865e297

  • SHA1

    2c1354a2b2d91aa2e8ebca9d5f504dd0ef557236

  • SHA256

    125d85b819da20e776a417b58b44126bac3b1150fb993009d879de869fd79497

  • SHA512

    63791d1947335fd7db9b661a0a72306643986506f0e6165b8d10d5440596da4b5925ddc8f5f35bf4f882692b06a3b16ddf65dfc6e21c964bbd6237822cfefbfa

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 6 IoCs
  • Checks SCSI registry key(s) 3 TTPs 15 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs

Processes

  • C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\cpuz.ini
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1140
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1868
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:3928
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:228
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3628
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4324
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3980
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4180
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4552
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:904
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2992

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\9CE0AK9M\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    8ecfbb5916fb505e23855d3b7c30db0c

    SHA1

    10324343aedf26ef894dc74cfef22b8c82a8de79

    SHA256

    646bbf2d59838f69fb02d31726a73364a73bd249926bc6d1658561e80b7d5173

    SHA512

    283cf8602c6c2ab9f4dde1e38b9266303661c15e9c1801773cefea06d64eb47d913e39082400e6da29146271a79c45dc44e72d111d54c457acfb8537a85dd1f6

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133252275081969228.txt
    Filesize

    77KB

    MD5

    50ca687dfd10ea32f549ff073a27c802

    SHA1

    e1530c20022c16c18ae2d93aa1f045209d54b94c

    SHA256

    b698869ff6676c10c1c0abeae38f54d90f102d3061946dabf86856f0c88e63dd

    SHA512

    8d335aa49b2cc7252c97563dc5f12a38ceeabc08caf38dc9ef98f5af31ae8b84153f102712d4228f1d3719f0df6b395625dcc470e64fbf3dccb3b8a8fab30e94

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133252275081969228.txt
    Filesize

    77KB

    MD5

    50ca687dfd10ea32f549ff073a27c802

    SHA1

    e1530c20022c16c18ae2d93aa1f045209d54b94c

    SHA256

    b698869ff6676c10c1c0abeae38f54d90f102d3061946dabf86856f0c88e63dd

    SHA512

    8d335aa49b2cc7252c97563dc5f12a38ceeabc08caf38dc9ef98f5af31ae8b84153f102712d4228f1d3719f0df6b395625dcc470e64fbf3dccb3b8a8fab30e94

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
    Filesize

    16KB

    MD5

    e3cc12d6f1ee99c94401d688c8767fe7

    SHA1

    169d466dd8960a7ab71c3fc507d3282ce19eb710

    SHA256

    82c38769e31de90f7a938bc4ae8a0c59bd385bafb3c89a519beead5e3357432b

    SHA512

    c3d535b9aa88bb0491c048ec047cfe7016028b9a540e697e87d33aa528154f8f15f51c51cdfe86b50e87aecdee623f09d3999e1757e2227fead1b5eb0ae6af4c

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\9CE0AK9M\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    8ecfbb5916fb505e23855d3b7c30db0c

    SHA1

    10324343aedf26ef894dc74cfef22b8c82a8de79

    SHA256

    646bbf2d59838f69fb02d31726a73364a73bd249926bc6d1658561e80b7d5173

    SHA512

    283cf8602c6c2ab9f4dde1e38b9266303661c15e9c1801773cefea06d64eb47d913e39082400e6da29146271a79c45dc44e72d111d54c457acfb8537a85dd1f6

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\9CE0AK9M\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    8ecfbb5916fb505e23855d3b7c30db0c

    SHA1

    10324343aedf26ef894dc74cfef22b8c82a8de79

    SHA256

    646bbf2d59838f69fb02d31726a73364a73bd249926bc6d1658561e80b7d5173

    SHA512

    283cf8602c6c2ab9f4dde1e38b9266303661c15e9c1801773cefea06d64eb47d913e39082400e6da29146271a79c45dc44e72d111d54c457acfb8537a85dd1f6

    Download Submit
  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal
    Filesize

    12KB

    MD5

    114e69780db0bcd89356263fef7a0589

    SHA1

    f06b9d6e12504e444605f933d70218eafc7ae430

    SHA256

    7b5edb624ab5fb0fe979206ed586c81ad82b07aa2679b3028043bf6d03843ce3

    SHA512

    7a9365cae247e5e49ba1c1947265ca286721443d2e7546fdf34378439841929b90f7775b21f271dc1abd52ccafe4dbe0d7064a02173e349418706e615c516d36

    Download Submit
  • memory/1868-141-0x0000019804190000-0x0000019804191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1868-144-0x0000019804190000-0x0000019804191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1868-145-0x0000019804190000-0x0000019804191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1868-143-0x0000019804190000-0x0000019804191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1868-142-0x0000019804190000-0x0000019804191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1868-140-0x0000019804190000-0x0000019804191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1868-139-0x0000019804190000-0x0000019804191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1868-135-0x0000019804190000-0x0000019804191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1868-134-0x0000019804190000-0x0000019804191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1868-133-0x0000019804190000-0x0000019804191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2992-415-0x0000023C7FCA0000-0x0000023C7FCC0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2992-412-0x0000023C7F890000-0x0000023C7F8B0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2992-408-0x0000023C7F8D0000-0x0000023C7F8F0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4180-289-0x000002CB53460000-0x000002CB53480000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4180-292-0x000002CB53910000-0x000002CB53930000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4180-286-0x000002CB534A0000-0x000002CB534C0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4324-158-0x000001F2143A0000-0x000001F2143C0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4324-155-0x000001F213F90000-0x000001F213FB0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4324-153-0x000001F213FD0000-0x000001F213FF0000-memory.dmp
    Filesize

    128KB

    Download