Overview

overview

7

Static

static

1

cpuz.ini

windows7-x64

5

cpuz.ini

windows10-2004-x64

5

cpuz_x64.exe

windows7-x64

6

cpuz_x64.exe

windows10-2004-x64

7

Resubmissions

06-04-2023 01:50

230406-b9gzvacg41 7

06-04-2023 01:46

230406-b6yhesag32 1

06-04-2023 01:43

230406-b5fafscg21 7

Analysis

  • max time kernel
    944s
  • max time network
    893s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-04-2023 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cpuz_x64.exe

  • Size

    4.4MB

  • MD5

    052bbb4cf1736d4375cb9d33c6716f59

  • SHA1

    a2245821a0a676b83ed42b0cbe504bf863f2fef8

  • SHA256

    b617f63ba7afd4cdab95215bb48c7829311ef6226053ffe23f088e07068fed05

  • SHA512

    385df99203bc7c424ad7d9a5f1b9b41ee2cb495383e51e76739e9b14a2a05124ad102583c77ad789fb1da3da19c9e4ce004eb4495bdd2bac6df977930ec4a4ff

  • SSDEEP

    49152:TbH6EAnJD3G28reHVRYjE3TPnXELpItLc8aOm7s+TgC:TKnJD2etnXu427hTg

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 58 IoCs
  • Suspicious use of SendNotifyMessage 57 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cpuz_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\cpuz_x64.exe"
    1⤵
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_5036.log
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1896
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2764

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\cpuz_driver_5036.log
    Filesize

    492B

    MD5

    d51410d42d38a66bcdaeb1547a37ecd1

    SHA1

    592f1c5c08a057059f69cf0d25c9d355092ba157

    SHA256

    1cf49bee4e8113b4a2e2b511e6e65d18902236257ded871111526f57d0c081d8

    SHA512

    c9e49dba0246bbccd89a2cac9252b6220fb8c0a668e204d018c6b7f4c67c025da2367e72b6a225431f731711fc61f505d5bd395f9069a5f1ee23c3debfff47a2

    Download Submit
  • C:\Windows\Temp\cpuz_driver_5036.log
    Filesize

    992B

    MD5

    8d6c32550cd571b72a99fbda44d501a9

    SHA1

    fbc1a6e6ef5bb436b53407bc3f064f3d30b73af2

    SHA256

    aa1a97d41b506fe457c6971455f43b8cb90e8a2dd99368e329dc04c26723b480

    SHA512

    c8e24d1a4a5086821f456e9933f35d4f85310d6825715ffa19cceaf937063bae079748630a7e5ed3789c3440b4f57af5df2c962b3de56ec1afebeac4ac1fd86c

    Download Submit
  • C:\Windows\temp\cpuz_driver_5036.log
    Filesize

    2KB

    MD5

    9f30b5688329ee693c0c7d50f3be147a

    SHA1

    5d3de2f86f8f2c479a72cbe7cf6c797183573c19

    SHA256

    220202d97692fa1b3a12ece209f2b2ab1e3ae2915313fddf2d963a82cb3dc0ec

    SHA512

    cef91756812ef6858c84c44b8e628926115a5ab404d44f23c5db42d35ec47f72674d4ac8e832e37bcdd787b41dd941d4d62b840f3113a96d92dfdcc6de207bda

    Download Submit
  • memory/2764-184-0x000002B644960000-0x000002B644961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2764-185-0x000002B644960000-0x000002B644961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2764-186-0x000002B644960000-0x000002B644961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2764-190-0x000002B644960000-0x000002B644961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2764-192-0x000002B644960000-0x000002B644961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2764-191-0x000002B644960000-0x000002B644961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2764-193-0x000002B644960000-0x000002B644961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2764-194-0x000002B644960000-0x000002B644961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2764-195-0x000002B644960000-0x000002B644961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2764-196-0x000002B644960000-0x000002B644961000-memory.dmp
    Filesize

    4KB

    Download