dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe
Size

13.1MB
MD5

364045dcd335ffd17f48a8cf5f816a01
SHA1

e9484d6300ce1d921c70ba7c08d4bb5b79f7a8c3
SHA256

dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b
SHA512

84b719101392c9dc6fc0d0665dd5fdca2627d2f302402bc2d475a4a9fc398acd2f8384c8d3b7a5a4e012b9007a3256557a957da75948b6cff07a0ceda69b2013
SSDEEP

196608:t1cCA+KNn9QK7FQZDJLla35CKFdu9CwJsv6t0KAnag:t1cDPQca1JA3YKFdu9CwJsv6ti1

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cpuz.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\CPU-Z\cpu-z.exe	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe
File opened for modification	C:\Program Files\CPUID\CPU-Z\cpuz.exe	cpu-z.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-G8NEH.tmp	cpu-z.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-DAQQ6.tmp	cpu-z.tmp
File created	C:\Program Files\CPUID\CPU-Z\unins000.dat	cpu-z.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-8HFMP.tmp	cpu-z.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-VMU0K.tmp	cpu-z.tmp
File created	C:\Program Files\CPUID\CPU-Z\is-8363B.tmp	cpu-z.tmp
File opened for modification	C:\Program Files\CPUID\CPU-Z\unins000.dat	cpu-z.tmp

Executes dropped EXE 4 IoCs

pid	Process
2712	cpu-z.exe
2848	cpu-z.tmp
2880	_setup64.tmp
1736	cpuz.exe

Loads dropped DLL 10 IoCs

pid	Process
2080	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe
2712	cpu-z.exe
2848	cpu-z.tmp
2848	cpu-z.tmp
2848	cpu-z.tmp
2848	cpu-z.tmp
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpu-z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpu-z.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1520	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2220	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe
2080	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2848	cpu-z.tmp
2848	cpu-z.tmp
1736	cpuz.exe
1736	cpuz.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1736	cpuz.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2848	cpu-z.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1736	cpuz.exe
1736	cpuz.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2080	2220	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe	31
PID 2220 wrote to memory of 2080	2220	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe	31
PID 2220 wrote to memory of 2080	2220	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe	31
PID 2220 wrote to memory of 2080	2220	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe	31
PID 2080 wrote to memory of 2712	2080	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe	32
PID 2080 wrote to memory of 2712	2080	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe	32
PID 2080 wrote to memory of 2712	2080	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe	32
PID 2080 wrote to memory of 2712	2080	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe	32
PID 2080 wrote to memory of 2712	2080	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe	32
PID 2080 wrote to memory of 2712	2080	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe	32
PID 2080 wrote to memory of 2712	2080	dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe	32
PID 2712 wrote to memory of 2848	2712	cpu-z.exe	33
PID 2712 wrote to memory of 2848	2712	cpu-z.exe	33
PID 2712 wrote to memory of 2848	2712	cpu-z.exe	33
PID 2712 wrote to memory of 2848	2712	cpu-z.exe	33
PID 2712 wrote to memory of 2848	2712	cpu-z.exe	33
PID 2712 wrote to memory of 2848	2712	cpu-z.exe	33
PID 2712 wrote to memory of 2848	2712	cpu-z.exe	33
PID 2848 wrote to memory of 2880	2848	cpu-z.tmp	34
PID 2848 wrote to memory of 2880	2848	cpu-z.tmp	34
PID 2848 wrote to memory of 2880	2848	cpu-z.tmp	34
PID 2848 wrote to memory of 2880	2848	cpu-z.tmp	34
PID 2848 wrote to memory of 812	2848	cpu-z.tmp	37
PID 2848 wrote to memory of 812	2848	cpu-z.tmp	37
PID 2848 wrote to memory of 812	2848	cpu-z.tmp	37
PID 2848 wrote to memory of 812	2848	cpu-z.tmp	37
PID 1736 wrote to memory of 1520	1736	cpuz.exe	39
PID 1736 wrote to memory of 1520	1736	cpuz.exe	39
PID 1736 wrote to memory of 1520	1736	cpuz.exe	39

C:\Users\Admin\AppData\Local\Temp\dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe
"C:\Users\Admin\AppData\Local\Temp\dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe
  "C:\Users\Admin\AppData\Local\Temp\dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b.exe" -kross
  2⤵
  - Drops file in Program Files directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Program Files (x86)\CPU-Z\cpu-z.exe
    "C:\Program Files (x86)\CPU-Z\cpu-z.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\is-2MPEF.tmp\cpu-z.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2MPEF.tmp\cpu-z.tmp" /SL5="$4022E,1839111,58368,C:\Program Files (x86)\CPU-Z\cpu-z.exe"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\is-VBHLL.tmp\_isetup\_setup64.tmp
        
        helper 105 0x1EC
        5⤵
        Executes dropped EXE
        
        PID:2880
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\CPUID\CPU-Z\cpuz_readme.txt
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:812

C:\Program Files\CPUID\CPU-Z\cpuz.exe
"C:\Program Files\CPUID\CPU-Z\cpuz.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_1736.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CPUID\CPU-Z\cpuz.ini

Filesize
528B

MD5
6bd9e57b13f964bc2ab258e10cd93709

SHA1
a42bd7543149aa8e88562f1e39781c2f1a390e26

SHA256
fe12fe279be5c03e7d162fbea0be831370896712b015d1d7df415cf87be6dda9

SHA512
f50b5bc48a3cbe8de0ddb4713db49e579e248b9260c7e5482e65c7878b7df8666c19872c2b647f8a5b6401aa3ca13e8ce51207535a1e8325dded71a3d4a5015f

Download Submit
C:\Program Files\CPUID\CPU-Z\cpuz_readme.txt

Filesize
30KB

MD5
55d7017bf0f28d09f20bf331eb8e608a

SHA1
5d7d5f5e75abbd20fa32a674113591c9aeb89a02

SHA256
b01b7bf643fc24ecb32ce3af039c8f30a24f7e20ffc0ed61e293b20b499d5f28

SHA512
55dda08b664067c3ba396f3ffec625779d4fe2489b321119927b97843096c3de74a664d84330bf9ca1132c6f27726fe2cad474bf5565871c274710bd5271bf9f

Download Submit
C:\Windows\temp\cpuz_driver_1736.log

Filesize
1KB

MD5
10308fa4a65111afea8177b818abc616

SHA1
b2d074065b1cb5ecc382a3d90bd64426d9c15701

SHA256
abd85da7f784d8da2136f9bfe843b36ea7e8395dbf9be67ab3620e5431515587

SHA512
d14338dc7399a591e0e86faa26dd45f8ed868c01c4a099eb2455c62e0e7c64942390096da6075dee9ebf776ce85866159e12e032ec50dd94eb16a7f4a07dff53

Download Submit
\Program Files (x86)\CPU-Z\cpu-z.exe

Filesize
2.0MB

MD5
da384563c4cf8f233e4c3efce5f63b7a

SHA1
d08290a7324b31da38b2142d7f96a671a12c481e

SHA256
7d3d1df736ca8aa96edcf37ffa3d0c992f5c2015cf2aef8c805c02729e87161f

SHA512
7651b20a5d3dff7e749300d367d3f88e69e20892580aeff52f934d07c3db6dc72b00729a35ce44592fcd9c359a813d2448daae6fd91c610f2f34ed59435b89f1

Download Submit
\Program Files\CPUID\CPU-Z\cpuz.exe

Filesize
4.2MB

MD5
8a37e1600d7668a7621af5380494d11d

SHA1
411a9e934c0c8b618acfa764ea2002dc3d930a91

SHA256
d56ef91bd3ef090b58ef818825382227dade2c692e98efebc65657880f0406e5

SHA512
e0c310b02e5ef3f9f2997d41cd1e2d32a08edaf4c366daffdc3e1fdc99ec1de4caf0070f390cbcbf6c905f153e3cd1946932b1ff17e20c6f32cfc1b842290e9f

Download Submit
\Program Files\CPUID\CPU-Z\unins000.exe

Filesize
713KB

MD5
d1c46c8fc337c9c4cbab797137939d53

SHA1
c7fca9d35fff8db9e2b1da7a7ceeb2ab2bdca283

SHA256
798eecebb059f2c27383816be38a2e8ee9a2f05eabd2028fb8d7bcda58caa597

SHA512
5b87b887f09dfd7ccda277168179e7b19a9ad15b09924f081cf45a0a7008fcbc3c1e7cc9d5b278d5463a3be9a1175dc35c1759efcc300ce19ec32e92381acf62

Download Submit
\Users\Admin\AppData\Local\Temp\is-2MPEF.tmp\cpu-z.tmp

Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
\Users\Admin\AppData\Local\Temp\is-VBHLL.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
memory/2080-4-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/2080-3-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/2220-1-0x0000000002A90000-0x0000000002A9A000-memory.dmp

Filesize
40KB

Download
memory/2220-2-0x0000000002A90000-0x0000000002A92000-memory.dmp

Filesize
8KB

Download
memory/2220-0-0x0000000002A90000-0x0000000002A9A000-memory.dmp

Filesize
40KB

Download
memory/2712-11-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2712-58-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2848-56-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download