986256a9b917d0c5026c7dc11b694b6e7419ab267ad9c7971486e7e24db5e80e

Resubmissions

19/05/2023, 03:28

230519-d1frjafa23 6

19/05/2023, 03:22

230519-dw49bseh87 6

Analysis

max time kernel
29s
max time network
34s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
19/05/2023, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cpuz_x32.exe
Size

3.9MB
MD5

0dbdfcdd8adedec00b361bb55abc80c1
SHA1

919cfad29c2a46c94c1866fb9d98c2eb68c95b96
SHA256

986256a9b917d0c5026c7dc11b694b6e7419ab267ad9c7971486e7e24db5e80e
SHA512

960e048c548d45ed27fb889bfdcbc38705b37ab79809a2dfc4241f82b59b4e32f7864f8df8be6e7ca86f34429f36e0878993b21a280289e35c0a0ee27f1d959e
SSDEEP

49152:jstvckjdrGs6EbKvynYYTfMpItLc8aOm7s+TguV:j6ckBr/Yvya427hTgA

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cpuz_x32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1708	1760	WerFault.exe	27

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
632	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1760	cpuz_x32.exe
1760	cpuz_x32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
416	Process not Found
416	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1760	cpuz_x32.exe
Token: SeLoadDriverPrivilege	1760	cpuz_x32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1760	cpuz_x32.exe
1760	cpuz_x32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 632	1760	cpuz_x32.exe	28
PID 1760 wrote to memory of 632	1760	cpuz_x32.exe	28
PID 1760 wrote to memory of 632	1760	cpuz_x32.exe	28
PID 1760 wrote to memory of 632	1760	cpuz_x32.exe	28
PID 1760 wrote to memory of 1708	1760	cpuz_x32.exe	32
PID 1760 wrote to memory of 1708	1760	cpuz_x32.exe	32
PID 1760 wrote to memory of 1708	1760	cpuz_x32.exe	32
PID 1760 wrote to memory of 1708	1760	cpuz_x32.exe	32

C:\Users\Admin\AppData\Local\Temp\cpuz_x32.exe
"C:\Users\Admin\AppData\Local\Temp\cpuz_x32.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_1760.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1040
  2⤵
  - Program crash
  PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\cpuz_driver_1760.log

Filesize
1KB

MD5
e2e93ee3506ea9787fc2a9decb47ad39

SHA1
91747729fe885b0461d6e226cb9202443a383b71

SHA256
fd37800da55d0ea296e5a27a92fadf197023c6bd2cefc033fb0a854b1361dca2

SHA512
20b698c591ac23f4f458902c3231fd14c7a9a5a25af0bb75c6d4639c4039641cfdccbd52c1d313835c1cb755518aaba81e2317656e9fd7eef451a3d9850b30df

Download Submit
C:\Windows\temp\cpuz_driver_1760.log

Filesize
2KB

MD5
7eb841729f9349c3fc0ea6fc116b674f

SHA1
f12087c95f81504d9e9cb2208a3adc4e72115504

SHA256
80403171dbdff3603e47f576aabe5c4f978d59fd293fd07df7f22d2097062ec0

SHA512
d15eeb0ec4d5f8c687cd730b813a82345e79a3ae1883042498184f4deda6dec93750024850da8310e532b5e34c24c07fa49aabc2ece7a6c6eeae9297e298715c

Download Submit