986256a9b917d0c5026c7dc11b694b6e7419ab267ad9c7971486e7e24db5e80e

Resubmissions

19/05/2023, 03:28

230519-d1frjafa23 6

19/05/2023, 03:22

230519-dw49bseh87 6

Analysis

max time kernel
98s
max time network
68s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
19/05/2023, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cpuz_x32.exe
Size

3.9MB
MD5

0dbdfcdd8adedec00b361bb55abc80c1
SHA1

919cfad29c2a46c94c1866fb9d98c2eb68c95b96
SHA256

986256a9b917d0c5026c7dc11b694b6e7419ab267ad9c7971486e7e24db5e80e
SHA512

960e048c548d45ed27fb889bfdcbc38705b37ab79809a2dfc4241f82b59b4e32f7864f8df8be6e7ca86f34429f36e0878993b21a280289e35c0a0ee27f1d959e
SSDEEP

49152:jstvckjdrGs6EbKvynYYTfMpItLc8aOm7s+TguV:j6ckBr/Yvya427hTgA

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cpuz_x32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
112	1980	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1980	cpuz_x32.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
416	Process not Found
416	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1980	cpuz_x32.exe
Token: SeLoadDriverPrivilege	1980	cpuz_x32.exe
Token: SeDebugPrivilege	1576	taskmgr.exe
Token: 33	1164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1164	AUDIODG.EXE
Token: 33	1164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1164	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe
1576	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1980	cpuz_x32.exe
1980	cpuz_x32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 112	1980	cpuz_x32.exe	31
PID 1980 wrote to memory of 112	1980	cpuz_x32.exe	31
PID 1980 wrote to memory of 112	1980	cpuz_x32.exe	31
PID 1980 wrote to memory of 112	1980	cpuz_x32.exe	31

C:\Users\Admin\AppData\Local\Temp\cpuz_x32.exe
"C:\Users\Admin\AppData\Local\Temp\cpuz_x32.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 992
  2⤵
  - Program crash
  PID:112

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1576

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1452

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:1984

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\cpuz_driver_1980.log

Filesize
431B

MD5
231670759bf519219632d89ff2b88b21

SHA1
12de479e43bc64d5026634928e9a402a1d6daa5d

SHA256
8abedfbea7599a34179c506b8c252023cd675fa55b8ff604443f28d5801b24de

SHA512
7295452d7a8e8a300e8be2c0c1d03dae10ff0a91c54b7df203fac35f52811ecee5414a84f2bbb13b245ccff146bb6796bfe253736ef111f41fabd02dff909df7

Download Submit
memory/1576-96-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download