3ec8bc64f586979417849f0ff2dcd849f30eeece2bd106c1526960e26327d359

Analysis

max time kernel
148s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FurMark_win64/gpuz/gpuz.exe
Size

9.7MB
MD5

2c78024277562d7c190d1d53a1556f2a
SHA1

3268da1ee29d667d39dd6eff24eaa1fd8adbab9c
SHA256

e2521082260f498233a3777a4fb76ce8092348ada21dbb8674210348d396e7df
SHA512

0fee9112ba52ff4dd3856dc4f57d905c7c233a0c52b49bc8b273f4a24bd7826150c1646fd6f600cc21748098605802c594341f763863c30587c1f77021a9e932
SSDEEP

196608:Wq/ZPPzLFycqrVP7TmhPdXE8+SrDmcRl6Wbp3MDghOH8p5oDPqesM:1/lorwhPDHHLMchJpyD/d

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2064	gpuz_installer.exe
2920	gpuz_installer.tmp

Loads dropped DLL 4 IoCs

pid	Process
1872	gpuz.exe
2064	gpuz_installer.exe
2920	gpuz_installer.tmp
2920	gpuz_installer.tmp

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral19/memory/1872-0-0x0000000000F80000-0x0000000003C61000-memory.dmp	upx
behavioral19/files/0x000b000000012233-18.dat	upx
behavioral19/memory/1872-22-0x0000000000F80000-0x0000000003C61000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpuz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpuz_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpuz_installer.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2920	gpuz_installer.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	gpuz.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1872	gpuz.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2064	1872	gpuz.exe	30
PID 1872 wrote to memory of 2064	1872	gpuz.exe	30
PID 1872 wrote to memory of 2064	1872	gpuz.exe	30
PID 1872 wrote to memory of 2064	1872	gpuz.exe	30
PID 1872 wrote to memory of 2064	1872	gpuz.exe	30
PID 1872 wrote to memory of 2064	1872	gpuz.exe	30
PID 1872 wrote to memory of 2064	1872	gpuz.exe	30
PID 2064 wrote to memory of 2920	2064	gpuz_installer.exe	31
PID 2064 wrote to memory of 2920	2064	gpuz_installer.exe	31
PID 2064 wrote to memory of 2920	2064	gpuz_installer.exe	31
PID 2064 wrote to memory of 2920	2064	gpuz_installer.exe	31
PID 2064 wrote to memory of 2920	2064	gpuz_installer.exe	31
PID 2064 wrote to memory of 2920	2064	gpuz_installer.exe	31
PID 2064 wrote to memory of 2920	2064	gpuz_installer.exe	31

C:\Users\Admin\AppData\Local\Temp\FurMark_win64\gpuz\gpuz.exe
"C:\Users\Admin\AppData\Local\Temp\FurMark_win64\gpuz\gpuz.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\\gpuz_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\is-MGKNF.tmp\gpuz_installer.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-MGKNF.tmp\gpuz_installer.tmp" /SL5="$401D0,832512,832512,C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GPU-Z.exe

Filesize
9.7MB

MD5
2c78024277562d7c190d1d53a1556f2a

SHA1
3268da1ee29d667d39dd6eff24eaa1fd8adbab9c

SHA256
e2521082260f498233a3777a4fb76ce8092348ada21dbb8674210348d396e7df

SHA512
0fee9112ba52ff4dd3856dc4f57d905c7c233a0c52b49bc8b273f4a24bd7826150c1646fd6f600cc21748098605802c594341f763863c30587c1f77021a9e932

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpuz_installer.exe

Filesize
1.6MB

MD5
ac1965fac45e178006a408de0f03c147

SHA1
64223b4379ea92087d78463f7970b7aeb7b791d4

SHA256
d95d16061176c2eb9e13f0d88d07d7a976e13e773effde4e5b0843ee88612704

SHA512
1eb84a0f6fa11b02fb6c89c97abcfacee48b5bc4da7edcdc411440e247c318eac8bc7db788384e06e72af3506fd34adcfd5529861933db8af807c24bab0851d8

Download Submit
\Users\Admin\AppData\Local\Temp\is-MGKNF.tmp\gpuz_installer.tmp

Filesize
3.1MB

MD5
4c9111b5058cb0a71da1c566e6b15de5

SHA1
cdf0963572c509ecc8651a7081dd5aca44886007

SHA256
ff02cd92b07585423ef7bdd0a873374922767fe21f93fcebc24181a5ee2111fa

SHA512
3dc28a3f0a1404b67dd5374e2c5e13f1c1b0250c1e07666dbbd4bf31b400ee549c3beb7b872dd7d10dd54ce401b01a362a59bca54b2c7209cbedd97caa7cea46

Download Submit
memory/1872-23-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1872-1-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1872-22-0x0000000000F80000-0x0000000003C61000-memory.dmp

Filesize
44.9MB

Download
memory/1872-0-0x0000000000F80000-0x0000000003C61000-memory.dmp

Filesize
44.9MB

Download
memory/2064-11-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2064-8-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2064-24-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2920-21-0x0000000003600000-0x00000000062E1000-memory.dmp

Filesize
44.9MB

Download
memory/2920-25-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2920-26-0x0000000003600000-0x00000000062E1000-memory.dmp

Filesize
44.9MB

Download