Resubmissions
06-04-2023 01:50
230406-b9gzvacg41 706-04-2023 01:46
230406-b6yhesag32 106-04-2023 01:43
230406-b5fafscg21 7Analysis
-
max time kernel
944s -
max time network
893s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2023 01:50
Static task
static1
Behavioral task
behavioral1
Sample
cpuz.ini
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
cpuz.ini
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
cpuz_x64.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
cpuz_x64.exe
Resource
win10v2004-20230220-en
General
-
Target
cpuz_x64.exe
-
Size
4.4MB
-
MD5
052bbb4cf1736d4375cb9d33c6716f59
-
SHA1
a2245821a0a676b83ed42b0cbe504bf863f2fef8
-
SHA256
b617f63ba7afd4cdab95215bb48c7829311ef6226053ffe23f088e07068fed05
-
SHA512
385df99203bc7c424ad7d9a5f1b9b41ee2cb495383e51e76739e9b14a2a05124ad102583c77ad789fb1da3da19c9e4ce004eb4495bdd2bac6df977930ec4a4ff
-
SSDEEP
49152:TbH6EAnJD3G28reHVRYjE3TPnXELpItLc8aOm7s+TgC:TKnJD2etnXu427hTg
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cpuz_x64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation cpuz_x64.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
cpuz_x64.exedescription ioc process File opened for modification \??\PhysicalDrive0 cpuz_x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Modifies registry class 1 IoCs
Processes:
cpuz_x64.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings cpuz_x64.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1896 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
cpuz_x64.exetaskmgr.exepid process 5036 cpuz_x64.exe 5036 cpuz_x64.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 668 668 -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
cpuz_x64.exetaskmgr.exedescription pid process Token: SeLoadDriverPrivilege 5036 cpuz_x64.exe Token: SeLoadDriverPrivilege 5036 cpuz_x64.exe Token: SeDebugPrivilege 2764 taskmgr.exe Token: SeSystemProfilePrivilege 2764 taskmgr.exe Token: SeCreateGlobalPrivilege 2764 taskmgr.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
Processes:
taskmgr.exepid process 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe -
Suspicious use of SendNotifyMessage 57 IoCs
Processes:
taskmgr.exepid process 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe 2764 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cpuz_x64.exepid process 5036 cpuz_x64.exe 5036 cpuz_x64.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cpuz_x64.exedescription pid process target process PID 5036 wrote to memory of 1896 5036 cpuz_x64.exe NOTEPAD.EXE PID 5036 wrote to memory of 1896 5036 cpuz_x64.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\cpuz_x64.exe"C:\Users\Admin\AppData\Local\Temp\cpuz_x64.exe"1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_5036.log2⤵
- Opens file in notepad (likely ransom note)
PID:1896
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\cpuz_driver_5036.logFilesize
492B
MD5d51410d42d38a66bcdaeb1547a37ecd1
SHA1592f1c5c08a057059f69cf0d25c9d355092ba157
SHA2561cf49bee4e8113b4a2e2b511e6e65d18902236257ded871111526f57d0c081d8
SHA512c9e49dba0246bbccd89a2cac9252b6220fb8c0a668e204d018c6b7f4c67c025da2367e72b6a225431f731711fc61f505d5bd395f9069a5f1ee23c3debfff47a2
-
C:\Windows\Temp\cpuz_driver_5036.logFilesize
992B
MD58d6c32550cd571b72a99fbda44d501a9
SHA1fbc1a6e6ef5bb436b53407bc3f064f3d30b73af2
SHA256aa1a97d41b506fe457c6971455f43b8cb90e8a2dd99368e329dc04c26723b480
SHA512c8e24d1a4a5086821f456e9933f35d4f85310d6825715ffa19cceaf937063bae079748630a7e5ed3789c3440b4f57af5df2c962b3de56ec1afebeac4ac1fd86c
-
C:\Windows\temp\cpuz_driver_5036.logFilesize
2KB
MD59f30b5688329ee693c0c7d50f3be147a
SHA15d3de2f86f8f2c479a72cbe7cf6c797183573c19
SHA256220202d97692fa1b3a12ece209f2b2ab1e3ae2915313fddf2d963a82cb3dc0ec
SHA512cef91756812ef6858c84c44b8e628926115a5ab404d44f23c5db42d35ec47f72674d4ac8e832e37bcdd787b41dd941d4d62b840f3113a96d92dfdcc6de207bda
-
memory/2764-184-0x000002B644960000-0x000002B644961000-memory.dmpFilesize
4KB
-
memory/2764-185-0x000002B644960000-0x000002B644961000-memory.dmpFilesize
4KB
-
memory/2764-186-0x000002B644960000-0x000002B644961000-memory.dmpFilesize
4KB
-
memory/2764-190-0x000002B644960000-0x000002B644961000-memory.dmpFilesize
4KB
-
memory/2764-192-0x000002B644960000-0x000002B644961000-memory.dmpFilesize
4KB
-
memory/2764-191-0x000002B644960000-0x000002B644961000-memory.dmpFilesize
4KB
-
memory/2764-193-0x000002B644960000-0x000002B644961000-memory.dmpFilesize
4KB
-
memory/2764-194-0x000002B644960000-0x000002B644961000-memory.dmpFilesize
4KB
-
memory/2764-195-0x000002B644960000-0x000002B644961000-memory.dmpFilesize
4KB
-
memory/2764-196-0x000002B644960000-0x000002B644961000-memory.dmpFilesize
4KB