dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b

General

Target

file.exe
Size

13.1MB
MD5

364045dcd335ffd17f48a8cf5f816a01
SHA1

e9484d6300ce1d921c70ba7c08d4bb5b79f7a8c3
SHA256

dc5b6ebcf502935ed2c0b4258eb13ff403efc8b97fe562e96a3dc1c7451db76b
SHA512

84b719101392c9dc6fc0d0665dd5fdca2627d2f302402bc2d475a4a9fc398acd2f8384c8d3b7a5a4e012b9007a3256557a957da75948b6cff07a0ceda69b2013
SSDEEP

196608:t1cCA+KNn9QK7FQZDJLla35CKFdu9CwJsv6t0KAnag:t1cDPQca1JA3YKFdu9CwJsv6ti1

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\CPU-Z\cpu-z.exe	file.exe

Executes dropped EXE 2 IoCs

pid	Process
1572	cpu-z.exe
2896	cpu-z.tmp

Loads dropped DLL 2 IoCs

pid	Process
1612	file.exe
1572	cpu-z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpu-z.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpu-z.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1604	file.exe
1612	file.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1612	1604	file.exe	28
PID 1604 wrote to memory of 1612	1604	file.exe	28
PID 1604 wrote to memory of 1612	1604	file.exe	28
PID 1604 wrote to memory of 1612	1604	file.exe	28
PID 1612 wrote to memory of 1572	1612	file.exe	29
PID 1612 wrote to memory of 1572	1612	file.exe	29
PID 1612 wrote to memory of 1572	1612	file.exe	29
PID 1612 wrote to memory of 1572	1612	file.exe	29
PID 1612 wrote to memory of 1572	1612	file.exe	29
PID 1612 wrote to memory of 1572	1612	file.exe	29
PID 1612 wrote to memory of 1572	1612	file.exe	29
PID 1572 wrote to memory of 2896	1572	cpu-z.exe	30
PID 1572 wrote to memory of 2896	1572	cpu-z.exe	30
PID 1572 wrote to memory of 2896	1572	cpu-z.exe	30
PID 1572 wrote to memory of 2896	1572	cpu-z.exe	30
PID 1572 wrote to memory of 2896	1572	cpu-z.exe	30
PID 1572 wrote to memory of 2896	1572	cpu-z.exe	30
PID 1572 wrote to memory of 2896	1572	cpu-z.exe	30

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe" -kross
  2⤵
  - Drops file in Program Files directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Program Files (x86)\CPU-Z\cpu-z.exe
    "C:\Program Files (x86)\CPU-Z\cpu-z.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\is-02FJP.tmp\cpu-z.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-02FJP.tmp\cpu-z.tmp" /SL5="$401CC,1839111,58368,C:\Program Files (x86)\CPU-Z\cpu-z.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\CPU-Z\cpu-z.exe

Filesize
2.0MB

MD5
da384563c4cf8f233e4c3efce5f63b7a

SHA1
d08290a7324b31da38b2142d7f96a671a12c481e

SHA256
7d3d1df736ca8aa96edcf37ffa3d0c992f5c2015cf2aef8c805c02729e87161f

SHA512
7651b20a5d3dff7e749300d367d3f88e69e20892580aeff52f934d07c3db6dc72b00729a35ce44592fcd9c359a813d2448daae6fd91c610f2f34ed59435b89f1

Download Submit
\Users\Admin\AppData\Local\Temp\is-02FJP.tmp\cpu-z.tmp

Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
memory/1572-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1572-20-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1604-1-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/1604-0-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/1612-3-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/1612-2-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/1612-14-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2896-21-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing