Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

19/05/2023, 03:28

230519-d1frjafa23 6

19/05/2023, 03:22

230519-dw49bseh87 6

Analysis

  • max time kernel
    29s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-es
  • resource tags

    arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    19/05/2023, 03:22

General

  • Target

    cpuz_x32.exe

  • Size

    3.9MB

  • MD5

    0dbdfcdd8adedec00b361bb55abc80c1

  • SHA1

    919cfad29c2a46c94c1866fb9d98c2eb68c95b96

  • SHA256

    986256a9b917d0c5026c7dc11b694b6e7419ab267ad9c7971486e7e24db5e80e

  • SHA512

    960e048c548d45ed27fb889bfdcbc38705b37ab79809a2dfc4241f82b59b4e32f7864f8df8be6e7ca86f34429f36e0878993b21a280289e35c0a0ee27f1d959e

  • SSDEEP

    49152:jstvckjdrGs6EbKvynYYTfMpItLc8aOm7s+TguV:j6ckBr/Yvya427hTgA

Score
6/10

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cpuz_x32.exe
    "C:\Users\Admin\AppData\Local\Temp\cpuz_x32.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_1760.log
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:632
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1040
      2⤵
      • Program crash
      PID:1708

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\cpuz_driver_1760.log

    Filesize

    1KB

    MD5

    e2e93ee3506ea9787fc2a9decb47ad39

    SHA1

    91747729fe885b0461d6e226cb9202443a383b71

    SHA256

    fd37800da55d0ea296e5a27a92fadf197023c6bd2cefc033fb0a854b1361dca2

    SHA512

    20b698c591ac23f4f458902c3231fd14c7a9a5a25af0bb75c6d4639c4039641cfdccbd52c1d313835c1cb755518aaba81e2317656e9fd7eef451a3d9850b30df

  • C:\Windows\temp\cpuz_driver_1760.log

    Filesize

    2KB

    MD5

    7eb841729f9349c3fc0ea6fc116b674f

    SHA1

    f12087c95f81504d9e9cb2208a3adc4e72115504

    SHA256

    80403171dbdff3603e47f576aabe5c4f978d59fd293fd07df7f22d2097062ec0

    SHA512

    d15eeb0ec4d5f8c687cd730b813a82345e79a3ae1883042498184f4deda6dec93750024850da8310e532b5e34c24c07fa49aabc2ece7a6c6eeae9297e298715c