Overview

overview

10

Static

static

1

cpu-z_2.15-rog-en.exe

windows10-ltsc_2021-x64

Analysis

  • max time kernel
    274s
  • max time network
    276s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    04/04/2025, 01:34

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    cpu-z_2.15-rog-en.exe

  • Size

    3.1MB

  • MD5

    9c7d97f1074b5eb1e16938558c1d38a0

  • SHA1

    278e9b8f3deade747e2076a8db5186876f891a68

  • SHA256

    fc56af8748f41fa6bdd55cba1bca97f5e65540aeb331821ae4a7a8bd675f445e

  • SHA512

    d6805debc6f0ebcdc5b8efc43195753683d4e7b372ebde50870e3a8618b7fa3b3a071b4a885ed7d6bc2febd98fec71a8c9d758b8b59a076a0a48944459f1adab

  • SSDEEP

    49152:fwREDX5zEq/9+uWuOA9NElCObyhwxnQhwM0o8DA3HWsMr7k:fwREL79tW/M3ObyhwShwM0e3MU

Score
10/10
bootkitdefense_evasiondiscoverypersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    defense_evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    defense_evasion
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 38 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cpu-z_2.15-rog-en.exe
    "C:\Users\Admin\AppData\Local\Temp\cpu-z_2.15-rog-en.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5380
    • C:\Users\Admin\AppData\Local\Temp\is-AVVHI.tmp\cpu-z_2.15-rog-en.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-AVVHI.tmp\cpu-z_2.15-rog-en.tmp" /SL5="$501F0,2383877,776192,C:\Users\Admin\AppData\Local\Temp\cpu-z_2.15-rog-en.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Program Files directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4648
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\CPUID\ROG CPU-Z\rog_cpuz_readme.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5000
  • C:\Program Files\CPUID\ROG CPU-Z\cpuz.exe
    "C:\Program Files\CPUID\ROG CPU-Z\cpuz.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Checks computer location settings
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_1724.log
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:324
  • C:\Windows\System32\oobe\UserOOBEBroker.exe
    C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    PID:5680
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:5720
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
    1⤵
      PID:6132
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" display.dll,ShowAdapterSettings 0
      1⤵
        PID:5000
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
        1⤵
        • System Location Discovery: System Language Discovery
        PID:2016
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
        1⤵
        • Checks processor information in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4672
        • C:\Windows\system32\systempropertiesadvanced.exe
          "C:\Windows\system32\systempropertiesadvanced.exe"
          2⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          PID:1064
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5544
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:4820
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x4 /state0:0xa3982855 /state1:0x41c64e6d
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:4988

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\CPUID\ROG CPU-Z\cpuz.exe
          Filesize

          5.3MB

          MD5

          33bf1f4a9e5b18b7b6e1a5673aad66f5

          SHA1

          9c4fd2f466595848eb3602246b20bf41625901a8

          SHA256

          ccaae248859a61535e76be766380c3be445a40240624f69a6da38f73c491cbb7

          SHA512

          154c1aaa30d52add7dbf03b5f667c62fd6dcc931c1064b409f675c98fbed4b34a37e8e38de9de92e3bf1c2ef83c250aed08c06a94913f7d1201a661779309b1e

          Download Submit

        • C:\Program Files\CPUID\ROG CPU-Z\cpuz.ini
          Filesize

          630B

          MD5

          5f7b6fd6679c32b7afe11d7e9bed9f36

          SHA1

          936656cfb34f1a221fb7ab751b93c0a0926c232d

          SHA256

          72806ceaee54badea0c1a92db26ff8b22f112e09734d3a7236b5685a38580fe2

          SHA512

          813bb8954a8319574c36fcca5099d9ccdc97179a8483f7cbc9b21a596b75889390a4510dbfb1d66d5e1160255ef7ea3c53efcecd1acacecb6387d0444fcef652

          Download Submit

        • C:\Program Files\CPUID\ROG CPU-Z\rog_cpuz_readme.txt
          Filesize

          38KB

          MD5

          d83633eac12f691f4dfa9ccfc074e972

          SHA1

          e5d8d238b51132bb40ecc87d1a3bad205473bc05

          SHA256

          8134852ec4c26542537cba278a53de457dec102787225c899b202a39ba5a0c0b

          SHA512

          bce9bfafffe5d80218eacaf6e76a1940218cb9b7122ba931d85a1f587d284cab6cc267204bd641963642fdb35106f99eb76c99ab501895f2b4cce1c4777fe72b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-AVVHI.tmp\cpu-z_2.15-rog-en.tmp
          Filesize

          3.0MB

          MD5

          71feba0d4aaaf10cee1f748f4e086123

          SHA1

          4bf368869c2cb04f0e06a95cdd4e4b4f1eb97e64

          SHA256

          5806abe938633630e794825171b6d0bab51740e42530f263b4acb7d77425cfa4

          SHA512

          ec29ce53029d9c642ee20caa6979553dee28682ff70b5ef7f8594897b06c26ae1b5056cbcb8e71ef69bebddaf1e464108f7b883070c5027f511468569c86071c

          Download Submit

        • C:\Windows\Temp\cpuz_driver_1724.log
          Filesize

          2KB

          MD5

          7935b34a5779f731a0f9c450ac352b68

          SHA1

          6663fdc630b695844f938ac3ad703954c8f0502a

          SHA256

          d0d1db654b26b2f4e59e2b9460c75570407a5cd38a110418d6a8a964e5f46302

          SHA512

          14c8e92398b01390035dbac722bbba371bd668d8f5ff37584616913f6843af26f3b23b169b6c8b72d462b240fb3f37d30f3b5ba4c84ee3498eab7f0c8ada917a

          Download Submit

        • memory/4648-10-0x0000000000400000-0x0000000000706000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/4648-42-0x0000000000400000-0x0000000000706000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/4648-7-0x0000000000400000-0x0000000000706000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/5380-0-0x0000000000400000-0x00000000004CB000-memory.dmp

          Filesize

          812KB

          Download

        • memory/5380-8-0x0000000000400000-0x00000000004CB000-memory.dmp

          Filesize

          812KB

          Download

        • memory/5380-43-0x0000000000400000-0x00000000004CB000-memory.dmp

          Filesize

          812KB

          Download

        • memory/5380-2-0x0000000000401000-0x00000000004A9000-memory.dmp

          Filesize

          672KB

          Download

        • memory/5544-98-0x000001C9EA620000-0x000001C9EA621000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5544-99-0x000001C9EA620000-0x000001C9EA621000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5544-100-0x000001C9EA620000-0x000001C9EA621000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5544-110-0x000001C9EA620000-0x000001C9EA621000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5544-108-0x000001C9EA620000-0x000001C9EA621000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5544-109-0x000001C9EA620000-0x000001C9EA621000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5544-107-0x000001C9EA620000-0x000001C9EA621000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5544-106-0x000001C9EA620000-0x000001C9EA621000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5544-104-0x000001C9EA620000-0x000001C9EA621000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5544-105-0x000001C9EA620000-0x000001C9EA621000-memory.dmp

          Filesize

          4KB

          Download