4ba16ded98d8d4609c6d13fdbeca0056c66dfc7fb5208cc3c4ecf0887bda4a4d

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-10-2023 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GPU-Z.2.26.0.exe
Size

6.8MB
MD5

8a96dc0421c70582ba7793d861bb3bf6
SHA1

4903d832e613cc6260a47022b3641d51a9d17ca9
SHA256

4ba16ded98d8d4609c6d13fdbeca0056c66dfc7fb5208cc3c4ecf0887bda4a4d
SHA512

edf71442bc5b82a658813e3b41f4071fb34785d5a995926162f30218ed7a52fb813c34d8ff9f9cf9bb8fe81cd0eb6804429a27489b6a074b1f4da98ee3ef8b73
SSDEEP

98304:sG6KuMgadVE3a0JERq+FPqL6ZQ+FdowjlGAf7GqIDT9/3YYRchBkEB0f8PrH7:DugQa0ynFyiQ+FCwjl9IHZ37R4vsU

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	gpuz_installer.exe

Loads dropped DLL 1 IoCs

pid	Process
1404	GPU-Z.2.26.0.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1404-0-0x0000000000FE0000-0x0000000002463000-memory.dmp	upx
behavioral1/memory/1404-9-0x0000000000FE0000-0x0000000002463000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x000f000000012272-4.dat	nsis_installer_1
behavioral1/files/0x000f000000012272-4.dat	nsis_installer_2
behavioral1/files/0x000f000000012272-7.dat	nsis_installer_1
behavioral1/files/0x000f000000012272-7.dat	nsis_installer_2
behavioral1/files/0x000f000000012272-8.dat	nsis_installer_1
behavioral1/files/0x000f000000012272-8.dat	nsis_installer_2

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	GPU-Z.2.26.0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1404	GPU-Z.2.26.0.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 3008	1404	GPU-Z.2.26.0.exe	28
PID 1404 wrote to memory of 3008	1404	GPU-Z.2.26.0.exe	28
PID 1404 wrote to memory of 3008	1404	GPU-Z.2.26.0.exe	28
PID 1404 wrote to memory of 3008	1404	GPU-Z.2.26.0.exe	28
PID 1404 wrote to memory of 3008	1404	GPU-Z.2.26.0.exe	28
PID 1404 wrote to memory of 3008	1404	GPU-Z.2.26.0.exe	28
PID 1404 wrote to memory of 3008	1404	GPU-Z.2.26.0.exe	28

C:\Users\Admin\AppData\Local\Temp\GPU-Z.2.26.0.exe
"C:\Users\Admin\AppData\Local\Temp\GPU-Z.2.26.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\\gpuz_installer.exe"
  2⤵
  - Executes dropped EXE
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe

Filesize
81KB

MD5
be189db37415ea113e117e7ad251026e

SHA1
bbadd2f9933e84babb68f5e1dd31d5acf0e11b4e

SHA256
aacf82efa5633c00a9e68b6f4c2750633c72dab67eb8a24673668ece28615bff

SHA512
1ce40eb95adfbb86bfccfea1c4a8c6f025e9bf07ffebb6fa4d8505460139403802e6c5275d4367f933700e5a1551875a2949082b7f00204325dbfd76f62e44db

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe

Filesize
81KB

MD5
be189db37415ea113e117e7ad251026e

SHA1
bbadd2f9933e84babb68f5e1dd31d5acf0e11b4e

SHA256
aacf82efa5633c00a9e68b6f4c2750633c72dab67eb8a24673668ece28615bff

SHA512
1ce40eb95adfbb86bfccfea1c4a8c6f025e9bf07ffebb6fa4d8505460139403802e6c5275d4367f933700e5a1551875a2949082b7f00204325dbfd76f62e44db

Download Submit
\Users\Admin\AppData\Local\Temp\gpuz_installer.exe

Filesize
81KB

MD5
be189db37415ea113e117e7ad251026e

SHA1
bbadd2f9933e84babb68f5e1dd31d5acf0e11b4e

SHA256
aacf82efa5633c00a9e68b6f4c2750633c72dab67eb8a24673668ece28615bff

SHA512
1ce40eb95adfbb86bfccfea1c4a8c6f025e9bf07ffebb6fa4d8505460139403802e6c5275d4367f933700e5a1551875a2949082b7f00204325dbfd76f62e44db

Download Submit
memory/1404-0-0x0000000000FE0000-0x0000000002463000-memory.dmp

Filesize
20.5MB

Download
memory/1404-1-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1404-9-0x0000000000FE0000-0x0000000002463000-memory.dmp

Filesize
20.5MB

Download
memory/1404-11-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download