Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2022, 19:21
Static task
static1
Behavioral task
behavioral1
Sample
PRD.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PRD.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
lkndwsjds.ps1
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
lkndwsjds.ps1
Resource
win10v2004-20220812-en
General
-
Target
PRD.lnk
-
Size
1KB
-
MD5
03475b66ae9683c845b1b99c9fb7b5f1
-
SHA1
6ac4dd7bc3136f7b8c1b8f8b60d855a4f606bd67
-
SHA256
7ba64fb34d07705c909cb271df4f8ffd152618897b25e77379c836b5c57fe1b4
-
SHA512
ac41a57a4dd9993f53612c2a1b72c9375ced61d0f4e3b72403ce4d28d30c6353075756b439346cb7352be9656b4a54a76cc6846d3eb9f5fd0799372930240179
Malware Config
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo powershell.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ powershell.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ powershell.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ powershell.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions powershell.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Wine powershell.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3828 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3828 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 5020 wrote to memory of 3828 5020 cmd.exe 82 PID 5020 wrote to memory of 3828 5020 cmd.exe 82 PID 3828 wrote to memory of 4368 3828 powershell.exe 83 PID 3828 wrote to memory of 4368 3828 powershell.exe 83 PID 4368 wrote to memory of 4772 4368 csc.exe 84 PID 4368 wrote to memory of 4772 4368 csc.exe 84 PID 3828 wrote to memory of 1800 3828 powershell.exe 85 PID 3828 wrote to memory of 1800 3828 powershell.exe 85 PID 1800 wrote to memory of 3608 1800 csc.exe 86 PID 1800 wrote to memory of 3608 1800 csc.exe 86
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\PRD.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file lkndwsjds.ps12⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gx0symsp\gx0symsp.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA07.tmp" "c:\Users\Admin\AppData\Local\Temp\gx0symsp\CSC26B9C9771AC04A4ABBAD6C4F76CC3431.TMP"4⤵PID:4772
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gch0euju\gch0euju.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8CC.tmp" "c:\Users\Admin\AppData\Local\Temp\gch0euju\CSC11F9E81B32B47DE8AFAD575FB04F62.TMP"4⤵PID:3608
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5caf84b5f1931155678e26c5540d74f09
SHA1b1d37b2c8632c9002cdd57101d599d0644d1ef2a
SHA256742bf95e60737e4fc8de932f8904aab89e2aba3ee663b312662f25d51b06139b
SHA51287949de22aa41d23bad2ee0a875178aba91e0b186e4a1cfd4df7013f1613ef234a22a84f76356d405ae584b983bec5f7c3372fbd953aba31df776f146e6f3591
-
Filesize
1KB
MD5d945d6ddd39b85b935e17a90a34f8153
SHA1e0e8a9887b4bf2a838c5f7ff4627d05e70bb1e73
SHA2563c5e221f9015965c6e666e527aadd064cdbf1ce95347b9d2de69f7f6af943b83
SHA5129c4f682915c26a6d250a5dfab1b6afe55ce3938db488d2f8dff5ebe46932c7bfbb61cf82ae741f79a3a2be73724f4a40071147c240e65acbe379a394116c2e88
-
Filesize
3KB
MD5dc4c9a2cbe83a798c1902e2fdd663233
SHA1ae1288ec37cf7008905ae8a44cdb488fb3936bca
SHA25650af95f2b548d34f029714ce2daf073c3f3dc43679cae0a0f7de01ccf3b48c17
SHA5124addff21787ed3cabfbe77b4cf3970fda2696f43e7e204d1735985b75128738530a204337ab198ca362ed11500d089d7da3cb4bfac8432c8f215154204ba325e
-
Filesize
3KB
MD544fe191389014dbad92d8575b5faafa8
SHA160e74bd156b2ddb513d7478e13fe98c884a1f418
SHA256d3daedfecf3dc6fbf2f38518692340c07b35da06ecda07200406da02e7388ae8
SHA512e26f86d31dde8c310a5ad84107fe336af50bb1059679bb6c73c5d5cec5d6b4175c733636a0d8606864a656e6475b41dedd388a3dc8ec3db395f23c3469df04be
-
Filesize
652B
MD57334ada33e71ea82d9b02329381d292d
SHA168d004ab7782eb0160ca7a803ffb842ff79b7c65
SHA2567f8a0cfa47f47339ee30a506186ea43104279b5cf74217f1a0434ae078e3b1d8
SHA51273057bd038304ddd7c584903872e4b93f3d7c761673b4205d2081bba5ef345839a4032ba02dca8d15c382658174397118a95ac14852b9cac112bf7e3477b4e4f
-
Filesize
582B
MD52bb8d0ee93aeae61a09adf4db6f29c1c
SHA18da3034bb8f84ea2522e276b492b2797b5db30ca
SHA25668d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817
SHA512b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677
-
Filesize
369B
MD535be607b158ad054f9dde23ce45543b5
SHA1a7ae3bfaa4fd323518c985a9282f2007836dbc9d
SHA256a57d84325e6070080ec98e9726944406a7ea8576fab7694b7d71f69e80f8951a
SHA512a39226465979074c645a2c92b66a1f4f27e08a1b0eccd400024fee1d73ba1d30d27aaef1803f6c749386c335a2c7ecb6b8af613578d82e26387de5032d74f5e6
-
Filesize
652B
MD59c7cc9388f1e8e966c2fd043694aec17
SHA18078eeb0b3047dcb46f75582d5d39bfc8513c0bc
SHA256213eaa207bc94e59fd63205af456c183730da91b24d23f0cc6ccb26a0413e796
SHA512b6ad5d1558bfa3e82e1513f50d08544bc61c3bb7f8f010f6c729dc83c2f9c2dda5dc9dd23719a01f774e419c99cc9c7fa7e4deb6d274df13e38bf902bb2c7c55
-
Filesize
203B
MD5b611be9282deb44eed731f72bcbb2b82
SHA1cc1d606d853bbabd5fef87255356a0d54381c289
SHA256ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6
SHA51263b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4
-
Filesize
369B
MD5cbb0bb9bc574f3b946623812a5fa2327
SHA1ca53ab4424da997e7900920e5e877f0430d5d5b8
SHA2565c8da4297296dc87831e4bb056cb3bf5e1f95a920f7ce1d88a68d132f5e0360b
SHA51223e71e7043c990a2e80ae2a0247b66f6f5f7418040bf5ea3cae420bbfa3ac2c2b6f891ab0db8a80449a304538c2958ef5b6543dc98a38623e3a738f05d96b9e2