Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
78s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2022, 19:21
Static task
static1
Behavioral task
behavioral1
Sample
PRD.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PRD.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
lkndwsjds.ps1
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
lkndwsjds.ps1
Resource
win10v2004-20220812-en
General
-
Target
lkndwsjds.ps1
-
Size
1.6MB
-
MD5
43b8002185775160d5b83de4a210dd35
-
SHA1
62202c63aeef127ba0fb2c3ba1011d5f57b7bd61
-
SHA256
9251fb4f0360db6cd155676c3abf99a5dcfb8b2de560a43ef36d9eec7718f987
-
SHA512
f9bb592c7068e9a5f437b200548fb3edca4e889ac0eba7a9ddc9d2f1797cfa473848ddf2636f38ec205a625df40561e9998e89e6682a5abf3a6b399455186f9e
-
SSDEEP
24576:cCrxYbz4x5sfmFGtW4FnXVROmygccvaP0iP3:krUGtbXDOnB8I
Malware Config
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest powershell.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ powershell.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ powershell.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ powershell.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions powershell.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate powershell.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Wine powershell.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4908 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4908 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4908 wrote to memory of 5040 4908 powershell.exe 83 PID 4908 wrote to memory of 5040 4908 powershell.exe 83 PID 5040 wrote to memory of 3996 5040 csc.exe 85 PID 5040 wrote to memory of 3996 5040 csc.exe 85 PID 4908 wrote to memory of 756 4908 powershell.exe 86 PID 4908 wrote to memory of 756 4908 powershell.exe 86 PID 756 wrote to memory of 4016 756 csc.exe 87 PID 756 wrote to memory of 4016 756 csc.exe 87
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\lkndwsjds.ps11⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ulbuofei\ulbuofei.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FD3.tmp" "c:\Users\Admin\AppData\Local\Temp\ulbuofei\CSCE5C4684E16044F698683B39D9342FE50.TMP"3⤵PID:3996
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lldvju2v\lldvju2v.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A43.tmp" "c:\Users\Admin\AppData\Local\Temp\lldvju2v\CSCA37AEDC1C64C4AC484FBC12BFB34D3E.TMP"3⤵PID:4016
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54f8f830b0e023d26f65bd9353068a874
SHA12f50aca9598e8c0e061fbb73f5be9042b8e821bd
SHA2563c7fdf5b9e203e60e0e28d0af3812364c83cffacff7e7d6bc3c9df336dc59b5e
SHA5128f8b0050aff5ac06a84c2dd9e5e5b59cadf037da5efe01a3e5200d9af3f4979589e4e153371a199e607531d77ee3a2b5dd673aa6309a501bcf8efc60168a496b
-
Filesize
1KB
MD58571110c311e06764ac9de85d8d398be
SHA1805f6e2eea0581cb3e5630671b9a8991d0b3a369
SHA2569083fa146385760a49fa1843425ec38fb223600aced3a257e3a6e86d2abc1b6f
SHA51289dfbaa1e516437a6bf4751f907fd718d657af561fe64a3a3a7f529c15daf54bbf0bbb61fc55fa8f70bf6765d1039573b470c979a4bf55838dcda5c6ccd40f21
-
Filesize
3KB
MD5397bdc08d9d02a46274bff5f96e2031c
SHA1dba6d3dd297c574c48c4a6dda82ed20e7698ea47
SHA25651c8c12e5bb68e34069e296b36b3dc26055b9825524a563fa13b38faf9e54a5b
SHA512aeb8c64a99ac6f669cebf808f9b72e142797220ca5d6464acfd985f754d9d9b543e91141609bb0bf3184b78bf97be4bc5f01a7173256d2d2ee7e869b18f369c6
-
Filesize
3KB
MD5fe613afa2fe0f2833d9bc13a7e240ec2
SHA1aefb9243a28d0b7fb948f80f59bfacef353d2e7e
SHA256ef550c125008303c5bc2f4f665c3248f4a2d96dd8597e1979759b543900e18dc
SHA5120b600b64ff50975aa6702086c7077fa7a0eb07bf33a91e91d290a2f6c4c729fdcc5d331392f0bb008e98f189acc4cd7255404ab9bd8cc4ec80950d5e6b7eb53c
-
Filesize
652B
MD50fd9d13b6ee5febaf2e92cfe7c2490f1
SHA1ba2b87ed296f6f8725451d8111cd7697f51866e5
SHA25646fc5a3f8494386ca472d88805c132764e958024e4adb09c623548eafcbfcc31
SHA5127be1e6e623d412866933c568daf65c26084698c2b5f2094b9ce689685c16513e2a179b31eebf8f02bd4d8a5c022151899a2d8590a8d292c2567258af377b4ca1
-
Filesize
582B
MD52bb8d0ee93aeae61a09adf4db6f29c1c
SHA18da3034bb8f84ea2522e276b492b2797b5db30ca
SHA25668d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817
SHA512b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677
-
Filesize
369B
MD5aa80189caf48c356d905df245e4b3423
SHA16ad76d5e5ebbcd79ff7fe102e842c963b497be2c
SHA256f1ef0a85b88deaa5e51090687695413db5aebb4d6aefeda957b263dff9a2d9e7
SHA51299f55a4950767c652d63777c0fd044a875a422a5163b6732b216190034782f2854da9c20730d8ce4b0e9d71e8395e54ddf9b499e4f7a436eb52406f5a4c21488
-
Filesize
652B
MD5787b7513e28fb06c3d5a7fdb1bcf48df
SHA1528dcb87be05ae6d2bf9124a0d8e9d708e3a20f2
SHA256187ba3ec08a528dcce3a360c63fd9cd2cf9812522bcf0939b658835562f22c04
SHA51297f9c071959f2e813223f57b96ef5fc7be78212aeeba7173cd6a1a74eb8a1972da2febf86b102f723d2ef0501a0bccc8fe18b0fdc5d9edac8277c141877cb5c5
-
Filesize
203B
MD5b611be9282deb44eed731f72bcbb2b82
SHA1cc1d606d853bbabd5fef87255356a0d54381c289
SHA256ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6
SHA51263b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4
-
Filesize
369B
MD524cc4efd8461458991200ea51ade6a3c
SHA1d12cc75d851dc4ed5ee4f6cb08a45e85e403f641
SHA256aeffc5d493541eabfcccfb2487618ec2a2083170bfb4af5120a6cc27e276ecd7
SHA5123584ae3ddfc7a331997543a137c116c777e4421ccb0ba310452e67035e41f38a27f7c1526d61817449d9916d44c0d60b16a3ab36ba3e5f9e7004afaeb6c8b2d8