Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2022, 19:21

General

  • Target

    PRD.lnk

  • Size

    1KB

  • MD5

    03475b66ae9683c845b1b99c9fb7b5f1

  • SHA1

    6ac4dd7bc3136f7b8c1b8f8b60d855a4f606bd67

  • SHA256

    7ba64fb34d07705c909cb271df4f8ffd152618897b25e77379c836b5c57fe1b4

  • SHA512

    ac41a57a4dd9993f53612c2a1b72c9375ced61d0f4e3b72403ce4d28d30c6353075756b439346cb7352be9656b4a54a76cc6846d3eb9f5fd0799372930240179

Score
9/10

Malware Config

Signatures

  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\PRD.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file lkndwsjds.ps1
      2⤵
      • Enumerates VirtualBox registry keys
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VirtualBox Guest Additions in registry
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3828
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gx0symsp\gx0symsp.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4368
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA07.tmp" "c:\Users\Admin\AppData\Local\Temp\gx0symsp\CSC26B9C9771AC04A4ABBAD6C4F76CC3431.TMP"
          4⤵
            PID:4772
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gch0euju\gch0euju.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1800
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8CC.tmp" "c:\Users\Admin\AppData\Local\Temp\gch0euju\CSC11F9E81B32B47DE8AFAD575FB04F62.TMP"
            4⤵
              PID:3608

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESEA07.tmp

        Filesize

        1KB

        MD5

        caf84b5f1931155678e26c5540d74f09

        SHA1

        b1d37b2c8632c9002cdd57101d599d0644d1ef2a

        SHA256

        742bf95e60737e4fc8de932f8904aab89e2aba3ee663b312662f25d51b06139b

        SHA512

        87949de22aa41d23bad2ee0a875178aba91e0b186e4a1cfd4df7013f1613ef234a22a84f76356d405ae584b983bec5f7c3372fbd953aba31df776f146e6f3591

      • C:\Users\Admin\AppData\Local\Temp\RESF8CC.tmp

        Filesize

        1KB

        MD5

        d945d6ddd39b85b935e17a90a34f8153

        SHA1

        e0e8a9887b4bf2a838c5f7ff4627d05e70bb1e73

        SHA256

        3c5e221f9015965c6e666e527aadd064cdbf1ce95347b9d2de69f7f6af943b83

        SHA512

        9c4f682915c26a6d250a5dfab1b6afe55ce3938db488d2f8dff5ebe46932c7bfbb61cf82ae741f79a3a2be73724f4a40071147c240e65acbe379a394116c2e88

      • C:\Users\Admin\AppData\Local\Temp\gch0euju\gch0euju.dll

        Filesize

        3KB

        MD5

        dc4c9a2cbe83a798c1902e2fdd663233

        SHA1

        ae1288ec37cf7008905ae8a44cdb488fb3936bca

        SHA256

        50af95f2b548d34f029714ce2daf073c3f3dc43679cae0a0f7de01ccf3b48c17

        SHA512

        4addff21787ed3cabfbe77b4cf3970fda2696f43e7e204d1735985b75128738530a204337ab198ca362ed11500d089d7da3cb4bfac8432c8f215154204ba325e

      • C:\Users\Admin\AppData\Local\Temp\gx0symsp\gx0symsp.dll

        Filesize

        3KB

        MD5

        44fe191389014dbad92d8575b5faafa8

        SHA1

        60e74bd156b2ddb513d7478e13fe98c884a1f418

        SHA256

        d3daedfecf3dc6fbf2f38518692340c07b35da06ecda07200406da02e7388ae8

        SHA512

        e26f86d31dde8c310a5ad84107fe336af50bb1059679bb6c73c5d5cec5d6b4175c733636a0d8606864a656e6475b41dedd388a3dc8ec3db395f23c3469df04be

      • \??\c:\Users\Admin\AppData\Local\Temp\gch0euju\CSC11F9E81B32B47DE8AFAD575FB04F62.TMP

        Filesize

        652B

        MD5

        7334ada33e71ea82d9b02329381d292d

        SHA1

        68d004ab7782eb0160ca7a803ffb842ff79b7c65

        SHA256

        7f8a0cfa47f47339ee30a506186ea43104279b5cf74217f1a0434ae078e3b1d8

        SHA512

        73057bd038304ddd7c584903872e4b93f3d7c761673b4205d2081bba5ef345839a4032ba02dca8d15c382658174397118a95ac14852b9cac112bf7e3477b4e4f

      • \??\c:\Users\Admin\AppData\Local\Temp\gch0euju\gch0euju.0.cs

        Filesize

        582B

        MD5

        2bb8d0ee93aeae61a09adf4db6f29c1c

        SHA1

        8da3034bb8f84ea2522e276b492b2797b5db30ca

        SHA256

        68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

        SHA512

        b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

      • \??\c:\Users\Admin\AppData\Local\Temp\gch0euju\gch0euju.cmdline

        Filesize

        369B

        MD5

        35be607b158ad054f9dde23ce45543b5

        SHA1

        a7ae3bfaa4fd323518c985a9282f2007836dbc9d

        SHA256

        a57d84325e6070080ec98e9726944406a7ea8576fab7694b7d71f69e80f8951a

        SHA512

        a39226465979074c645a2c92b66a1f4f27e08a1b0eccd400024fee1d73ba1d30d27aaef1803f6c749386c335a2c7ecb6b8af613578d82e26387de5032d74f5e6

      • \??\c:\Users\Admin\AppData\Local\Temp\gx0symsp\CSC26B9C9771AC04A4ABBAD6C4F76CC3431.TMP

        Filesize

        652B

        MD5

        9c7cc9388f1e8e966c2fd043694aec17

        SHA1

        8078eeb0b3047dcb46f75582d5d39bfc8513c0bc

        SHA256

        213eaa207bc94e59fd63205af456c183730da91b24d23f0cc6ccb26a0413e796

        SHA512

        b6ad5d1558bfa3e82e1513f50d08544bc61c3bb7f8f010f6c729dc83c2f9c2dda5dc9dd23719a01f774e419c99cc9c7fa7e4deb6d274df13e38bf902bb2c7c55

      • \??\c:\Users\Admin\AppData\Local\Temp\gx0symsp\gx0symsp.0.cs

        Filesize

        203B

        MD5

        b611be9282deb44eed731f72bcbb2b82

        SHA1

        cc1d606d853bbabd5fef87255356a0d54381c289

        SHA256

        ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

        SHA512

        63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

      • \??\c:\Users\Admin\AppData\Local\Temp\gx0symsp\gx0symsp.cmdline

        Filesize

        369B

        MD5

        cbb0bb9bc574f3b946623812a5fa2327

        SHA1

        ca53ab4424da997e7900920e5e877f0430d5d5b8

        SHA256

        5c8da4297296dc87831e4bb056cb3bf5e1f95a920f7ce1d88a68d132f5e0360b

        SHA512

        23e71e7043c990a2e80ae2a0247b66f6f5f7418040bf5ea3cae420bbfa3ac2c2b6f891ab0db8a80449a304538c2958ef5b6543dc98a38623e3a738f05d96b9e2

      • memory/3828-134-0x00007FF87DA60000-0x00007FF87E521000-memory.dmp

        Filesize

        10.8MB

      • memory/3828-133-0x00000167DB810000-0x00000167DB832000-memory.dmp

        Filesize

        136KB

      • memory/3828-149-0x00007FF87DA60000-0x00007FF87E521000-memory.dmp

        Filesize

        10.8MB