4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350

General

Target

4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe
Size

1.5MB
MD5

ac2a422cc3bad3118bea0266a8fa0129
SHA1

28ad50792975fecbb77202cfb3636e766c811a9f
SHA256

4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350
SHA512

67439e008733048f71f6b1bf6eac5469272a0377f8c6ec7349720114917a54136d47b9988e6d4e04e5c4cda5251ebd2aabeda1ae135991e705e438641beb3fa1
SSDEEP

24576:Ioh3aS/tIUh102NhHF5Qk7t1T+5kKUY9lgtfifmyWTTnLNvvNAYWL6WTHUXLL9nH:IIX02NJFX7tR+Okl6fiFOLrAfFDQ9ns6

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/704-0-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral2/memory/704-56-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral2/memory/704-57-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral2/memory/704-58-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral2/memory/704-59-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral2/memory/704-60-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral2/memory/704-61-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral2/memory/704-62-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral2/memory/704-63-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral2/memory/704-64-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral2/memory/704-65-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral2/memory/704-66-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral2/memory/704-67-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral2/memory/704-68-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral2/memory/704-69-0x0000000000400000-0x000000000083A000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5080	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
704	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe
704	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	704	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe
Token: SeLoadDriverPrivilege	704	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
704	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe
704	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 5080	704	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe	85
PID 704 wrote to memory of 5080	704	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe	85
PID 704 wrote to memory of 5080	704	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe	85

C:\Users\Admin\AppData\Local\Temp\4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe
"C:\Users\Admin\AppData\Local\Temp\4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:704
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_704.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\cpuz_driver_704.log

Filesize
1KB

MD5
3b42b68e11231bc40fa2a2a7fcb7c91a

SHA1
c351620d39cadb51707f622117d5cf592199dffc

SHA256
2e33c9df562f48055d6750375f56b3e6e8c6d5d575a981e9209be9702fd2edf1

SHA512
b2b6aca9f1697b666f5bc6351c950e3c0b8fc5c6b7211e92706a8311aa0680af2369a04348322ad211565fc0fdbc37e15e01677187410aac87d93743c3c1b602

Download Submit
C:\Windows\Temp\cpuz_driver_704.log

Filesize
2KB

MD5
f30d8c01058bfc7ac814d7b301a9cf9c

SHA1
4ccaa803e6cb122b074889938e667ec4fc5d6c79

SHA256
8979dcc1c78ee0bc4f93ed24228403da7ffe79fbe44da2effb1680acea6864bd

SHA512
65aed075afc121e48895e752e52ea77806ddf655a5f856a7920ca4baca38b61f137196b40f7001b0ff92f7334a1ae92f786f435cc93527f56d5fd2726992e37f

Download Submit
C:\Windows\Temp\cpuz_driver_704.log

Filesize
550B

MD5
bdd1bb48abd1d3aa305d201e6351129d

SHA1
df82cfd4cb0da155308007e51af9c28f756540a9

SHA256
c7ca938687876bf81864b08124e50d1625321d5288cb38c82a2d201aceb46f43

SHA512
83796e460c84cdc720b433fc4a6ecb9bcb8c7548fad91acb7d31f670703622688cdec16eeb76eeedc87a57a9a545897df263e4fc60d7a760d5584827ae6c50c5

Download Submit
C:\Windows\temp\cpuz_driver_704.log

Filesize
2KB

MD5
b43a70f71ec201e5637c34265252b30a

SHA1
3a4a2daa466dd781509fb11f728a2288131bde55

SHA256
706eab41a36630dc9fc7170f95fca5337525f879e9ec9a5849b86bd3cf6a7a94

SHA512
e87c887dca18f3670a635f74a4a07ccf4d356e00730086e9f5f7cf84f4b63ef8e063a903b316fad90b278aa7ed8af2ff8d23168c675741c1709226a6898ac6d9

Download Submit
memory/704-59-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/704-56-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/704-57-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/704-58-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/704-0-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/704-60-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/704-61-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/704-62-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/704-63-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/704-64-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/704-65-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/704-66-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/704-67-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/704-68-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/704-69-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads