Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

PnrirLoslBOSWR.bat

windows7-x64

9

PnrirLoslBOSWR.bat

windows10-2004-x64

9

details.lnk

windows7-x64

9

details.lnk

windows10-2004-x64

9

lqDwAhoXOlNwLd.dll

windows7-x64

3

lqDwAhoXOlNwLd.dll

windows10-2004-x64

3

Resubmissions

03/10/2022, 18:11 UTC

221003-wstmjaacgm 10

26/09/2022, 21:49 UTC

220926-1pkmnsdbdq 9

Analysis

  • max time kernel
    40s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26/09/2022, 21:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PnrirLoslBOSWR.bat

  • Size

    1KB

  • MD5

    6fe0cff624e47547185b869db1d72f45

  • SHA1

    ed28b0e2acc7e357152001fbeffdbea6ceab0230

  • SHA256

    4685e7be2b60d0edc5480a4befbac6130dc65c7bd149f6010b86d24a601bcb3f

  • SHA512

    1613a4eec4e9f62379458e0c1d3fcd5de453174f445a8ebd673ca1cb22f26f32d2b58bd0da094deed14af8d1ed7a3f7bf3e026702c751883c81e79c7890aa654

Score
9/10
evasion

Malware Config

Signatures

  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\PnrirLoslBOSWR.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Windows\system32\rundll32.exe
      rundll32 lqDwAhoXOlNwLd.dll,TlvRun
      2⤵
      • Enumerates VirtualBox registry keys
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VirtualBox Guest Additions in registry
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1340

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1340-55-0x0000000001F00000-0x0000000002053000-memory.dmp

    Filesize

    1.3MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.