Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

PRD.lnk

windows7-x64

3

PRD.lnk

windows10-2004-x64

9

lkndwsjds.ps1

windows7-x64

1

lkndwsjds.ps1

windows10-2004-x64

9

Analysis

  • max time kernel
    78s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2022, 19:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lkndwsjds.ps1

  • Size

    1.6MB

  • MD5

    43b8002185775160d5b83de4a210dd35

  • SHA1

    62202c63aeef127ba0fb2c3ba1011d5f57b7bd61

  • SHA256

    9251fb4f0360db6cd155676c3abf99a5dcfb8b2de560a43ef36d9eec7718f987

  • SHA512

    f9bb592c7068e9a5f437b200548fb3edca4e889ac0eba7a9ddc9d2f1797cfa473848ddf2636f38ec205a625df40561e9998e89e6682a5abf3a6b399455186f9e

  • SSDEEP

    24576:cCrxYbz4x5sfmFGtW4FnXVROmygccvaP0iP3:krUGtbXDOnB8I

Score
9/10
evasion

Malware Config

Signatures

  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\lkndwsjds.ps1
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtCreateThreadExHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ulbuofei\ulbuofei.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FD3.tmp" "c:\Users\Admin\AppData\Local\Temp\ulbuofei\CSCE5C4684E16044F698683B39D9342FE50.TMP"
        3⤵
          PID:3996
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lldvju2v\lldvju2v.cmdline"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:756
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A43.tmp" "c:\Users\Admin\AppData\Local\Temp\lldvju2v\CSCA37AEDC1C64C4AC484FBC12BFB34D3E.TMP"
          3⤵
            PID:4016

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES7FD3.tmp
        Filesize

        1KB

        MD5

        4f8f830b0e023d26f65bd9353068a874

        SHA1

        2f50aca9598e8c0e061fbb73f5be9042b8e821bd

        SHA256

        3c7fdf5b9e203e60e0e28d0af3812364c83cffacff7e7d6bc3c9df336dc59b5e

        SHA512

        8f8b0050aff5ac06a84c2dd9e5e5b59cadf037da5efe01a3e5200d9af3f4979589e4e153371a199e607531d77ee3a2b5dd673aa6309a501bcf8efc60168a496b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES8A43.tmp
        Filesize

        1KB

        MD5

        8571110c311e06764ac9de85d8d398be

        SHA1

        805f6e2eea0581cb3e5630671b9a8991d0b3a369

        SHA256

        9083fa146385760a49fa1843425ec38fb223600aced3a257e3a6e86d2abc1b6f

        SHA512

        89dfbaa1e516437a6bf4751f907fd718d657af561fe64a3a3a7f529c15daf54bbf0bbb61fc55fa8f70bf6765d1039573b470c979a4bf55838dcda5c6ccd40f21

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\lldvju2v\lldvju2v.dll
        Filesize

        3KB

        MD5

        397bdc08d9d02a46274bff5f96e2031c

        SHA1

        dba6d3dd297c574c48c4a6dda82ed20e7698ea47

        SHA256

        51c8c12e5bb68e34069e296b36b3dc26055b9825524a563fa13b38faf9e54a5b

        SHA512

        aeb8c64a99ac6f669cebf808f9b72e142797220ca5d6464acfd985f754d9d9b543e91141609bb0bf3184b78bf97be4bc5f01a7173256d2d2ee7e869b18f369c6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ulbuofei\ulbuofei.dll
        Filesize

        3KB

        MD5

        fe613afa2fe0f2833d9bc13a7e240ec2

        SHA1

        aefb9243a28d0b7fb948f80f59bfacef353d2e7e

        SHA256

        ef550c125008303c5bc2f4f665c3248f4a2d96dd8597e1979759b543900e18dc

        SHA512

        0b600b64ff50975aa6702086c7077fa7a0eb07bf33a91e91d290a2f6c4c729fdcc5d331392f0bb008e98f189acc4cd7255404ab9bd8cc4ec80950d5e6b7eb53c

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\lldvju2v\CSCA37AEDC1C64C4AC484FBC12BFB34D3E.TMP
        Filesize

        652B

        MD5

        0fd9d13b6ee5febaf2e92cfe7c2490f1

        SHA1

        ba2b87ed296f6f8725451d8111cd7697f51866e5

        SHA256

        46fc5a3f8494386ca472d88805c132764e958024e4adb09c623548eafcbfcc31

        SHA512

        7be1e6e623d412866933c568daf65c26084698c2b5f2094b9ce689685c16513e2a179b31eebf8f02bd4d8a5c022151899a2d8590a8d292c2567258af377b4ca1

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\lldvju2v\lldvju2v.0.cs
        Filesize

        582B

        MD5

        2bb8d0ee93aeae61a09adf4db6f29c1c

        SHA1

        8da3034bb8f84ea2522e276b492b2797b5db30ca

        SHA256

        68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

        SHA512

        b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\lldvju2v\lldvju2v.cmdline
        Filesize

        369B

        MD5

        aa80189caf48c356d905df245e4b3423

        SHA1

        6ad76d5e5ebbcd79ff7fe102e842c963b497be2c

        SHA256

        f1ef0a85b88deaa5e51090687695413db5aebb4d6aefeda957b263dff9a2d9e7

        SHA512

        99f55a4950767c652d63777c0fd044a875a422a5163b6732b216190034782f2854da9c20730d8ce4b0e9d71e8395e54ddf9b499e4f7a436eb52406f5a4c21488

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ulbuofei\CSCE5C4684E16044F698683B39D9342FE50.TMP
        Filesize

        652B

        MD5

        787b7513e28fb06c3d5a7fdb1bcf48df

        SHA1

        528dcb87be05ae6d2bf9124a0d8e9d708e3a20f2

        SHA256

        187ba3ec08a528dcce3a360c63fd9cd2cf9812522bcf0939b658835562f22c04

        SHA512

        97f9c071959f2e813223f57b96ef5fc7be78212aeeba7173cd6a1a74eb8a1972da2febf86b102f723d2ef0501a0bccc8fe18b0fdc5d9edac8277c141877cb5c5

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ulbuofei\ulbuofei.0.cs
        Filesize

        203B

        MD5

        b611be9282deb44eed731f72bcbb2b82

        SHA1

        cc1d606d853bbabd5fef87255356a0d54381c289

        SHA256

        ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

        SHA512

        63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ulbuofei\ulbuofei.cmdline
        Filesize

        369B

        MD5

        24cc4efd8461458991200ea51ade6a3c

        SHA1

        d12cc75d851dc4ed5ee4f6cb08a45e85e403f641

        SHA256

        aeffc5d493541eabfcccfb2487618ec2a2083170bfb4af5120a6cc27e276ecd7

        SHA512

        3584ae3ddfc7a331997543a137c116c777e4421ccb0ba310452e67035e41f38a27f7c1526d61817449d9916d44c0d60b16a3ab36ba3e5f9e7004afaeb6c8b2d8

        Download Submit

      • memory/4908-132-0x00000250F3270000-0x00000250F3292000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4908-134-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4908-148-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

        Filesize

        10.8MB

        Download