Resubmissions
06-04-2023 01:50
230406-b9gzvacg41 706-04-2023 01:46
230406-b6yhesag32 106-04-2023 01:43
230406-b5fafscg21 7Analysis
-
max time kernel
416s -
max time network
393s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-04-2023 01:50
Static task
static1
Behavioral task
behavioral1
Sample
cpuz.ini
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
cpuz.ini
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
cpuz_x64.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
cpuz_x64.exe
Resource
win10v2004-20230220-en
General
-
Target
cpuz_x64.exe
-
Size
4.4MB
-
MD5
052bbb4cf1736d4375cb9d33c6716f59
-
SHA1
a2245821a0a676b83ed42b0cbe504bf863f2fef8
-
SHA256
b617f63ba7afd4cdab95215bb48c7829311ef6226053ffe23f088e07068fed05
-
SHA512
385df99203bc7c424ad7d9a5f1b9b41ee2cb495383e51e76739e9b14a2a05124ad102583c77ad789fb1da3da19c9e4ce004eb4495bdd2bac6df977930ec4a4ff
-
SSDEEP
49152:TbH6EAnJD3G28reHVRYjE3TPnXELpItLc8aOm7s+TgC:TKnJD2etnXu427hTg
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
cpuz_x64.exedescription ioc process File opened for modification \??\PhysicalDrive0 cpuz_x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 868 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
cpuz_x64.exetaskmgr.exepid process 1736 cpuz_x64.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 468 468 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
cpuz_x64.exetaskmgr.exedescription pid process Token: SeLoadDriverPrivilege 1736 cpuz_x64.exe Token: SeLoadDriverPrivilege 1736 cpuz_x64.exe Token: SeDebugPrivilege 1584 taskmgr.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
taskmgr.exepid process 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
taskmgr.exepid process 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cpuz_x64.exepid process 1736 cpuz_x64.exe 1736 cpuz_x64.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cpuz_x64.exedescription pid process target process PID 1736 wrote to memory of 868 1736 cpuz_x64.exe NOTEPAD.EXE PID 1736 wrote to memory of 868 1736 cpuz_x64.exe NOTEPAD.EXE PID 1736 wrote to memory of 868 1736 cpuz_x64.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\cpuz_x64.exe"C:\Users\Admin\AppData\Local\Temp\cpuz_x64.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_1736.log2⤵
- Opens file in notepad (likely ransom note)
PID:868
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1584
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\temp\cpuz_driver_1736.logFilesize
2KB
MD5cef7159c14b8a32347fee6b03361866d
SHA1a8f0c9691c92d43d8be4d4273edb8fb96b2d79dc
SHA256d8caacb6e86095b95b11ee366858390de5444fd553bbd02fa9595e78f5321cd2
SHA512d7da58c4202c362934446ed497813fff11e311c6f080f819191941c4c949593ab61d416b663576ce398d0fa0ce25c04c74803cfdad0a39224c6eb230f904cf11
-
memory/1584-99-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1584-100-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1584-101-0x00000000020D0000-0x00000000020D1000-memory.dmpFilesize
4KB