Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 19:56
Behavioral task
behavioral1
Sample
2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
Resource
win7-20230831-en
General
-
Target
2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe
-
Size
9.5MB
-
MD5
392666a39aa5606e5f161329ddba9403
-
SHA1
b567830d7179aaa44d016b84e4a5ebbe77d31cd7
-
SHA256
2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65
-
SHA512
b53c086adbc07c3f55ce3fba036f44cd0a0aaa80a7f8563ddf25437fe842822aac12b537a62753f09118bffe3ea858a92df6076b0ed4644d0c08c1cbff650843
-
SSDEEP
196608:AbDCH2S46KtwRs3701se3rtwWe0EqsryDhnY2S5ulXqZyTic:A3RS4Nqm370BMLF6Y/5Pyec
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Pubg.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Pubg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Pubg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe -
Executes dropped EXE 1 IoCs
pid Process 5040 Pubg.exe -
Loads dropped DLL 1 IoCs
pid Process 5040 Pubg.exe -
resource yara_rule behavioral2/memory/3856-0-0x0000000000210000-0x000000000112E000-memory.dmp themida behavioral2/memory/3856-2-0x0000000000210000-0x000000000112E000-memory.dmp themida behavioral2/memory/3856-3-0x0000000000210000-0x000000000112E000-memory.dmp themida behavioral2/memory/3856-4-0x0000000000210000-0x000000000112E000-memory.dmp themida behavioral2/memory/3856-5-0x0000000000210000-0x000000000112E000-memory.dmp themida behavioral2/memory/3856-6-0x0000000000210000-0x000000000112E000-memory.dmp themida behavioral2/memory/3856-7-0x0000000000210000-0x000000000112E000-memory.dmp themida behavioral2/memory/3856-8-0x0000000000210000-0x000000000112E000-memory.dmp themida behavioral2/memory/3856-9-0x0000000000210000-0x000000000112E000-memory.dmp themida behavioral2/memory/3856-10-0x0000000000210000-0x000000000112E000-memory.dmp themida behavioral2/memory/3856-13-0x0000000000210000-0x000000000112E000-memory.dmp themida behavioral2/files/0x00070000000231be-23.dat themida behavioral2/files/0x00070000000231be-25.dat themida behavioral2/memory/5040-26-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/3856-24-0x0000000000210000-0x000000000112E000-memory.dmp themida behavioral2/memory/5040-27-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-28-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-29-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-30-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-31-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-32-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-33-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-34-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-36-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-37-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-38-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-39-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-40-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-41-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-42-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-43-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-44-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-45-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-46-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-47-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-48-0x0000000072E60000-0x0000000073941000-memory.dmp themida behavioral2/memory/5040-49-0x0000000072E60000-0x0000000073941000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Pubg.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Pubg.exe File opened (read-only) \??\Q: Pubg.exe File opened (read-only) \??\V: Pubg.exe File opened (read-only) \??\X: Pubg.exe File opened (read-only) \??\Y: Pubg.exe File opened (read-only) \??\E: Pubg.exe File opened (read-only) \??\G: Pubg.exe File opened (read-only) \??\H: Pubg.exe File opened (read-only) \??\L: Pubg.exe File opened (read-only) \??\M: Pubg.exe File opened (read-only) \??\O: Pubg.exe File opened (read-only) \??\P: Pubg.exe File opened (read-only) \??\Z: Pubg.exe File opened (read-only) \??\B: Pubg.exe File opened (read-only) \??\I: Pubg.exe File opened (read-only) \??\J: Pubg.exe File opened (read-only) \??\K: Pubg.exe File opened (read-only) \??\U: Pubg.exe File opened (read-only) \??\W: Pubg.exe File opened (read-only) \??\R: Pubg.exe File opened (read-only) \??\S: Pubg.exe File opened (read-only) \??\T: Pubg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3856 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe 5040 Pubg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Pubg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Pubg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3856 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe 3856 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe 3856 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe 3856 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe 3856 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe 3856 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe 3856 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe 3856 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe 5040 Pubg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3856 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3856 wrote to memory of 5040 3856 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe 92 PID 3856 wrote to memory of 5040 3856 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe 92 PID 3856 wrote to memory of 5040 3856 2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe"C:\Users\Admin\AppData\Local\Temp\2a54518e72e46f6fc4a7b631cdf12d1d698392e50994f379288c16ef791f0d65.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Roaming\Pubg\Pubg.exe"C:\Users\Admin\AppData\Roaming\Pubg\Pubg.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD59037a40fb3c7b5948345acb3a9401c53
SHA12957d67dc98c7058e9e556f0690f86b22b1dbd5b
SHA25697b33e2b233b779dad59cecb75f8da31f7a197c278118452dffa94bb6e178aa3
SHA512b129e98fc7bc22186562d9b18f9236f1cc44ad8df657135029f4e1c577eb016d982ae7dce18eb06a3d207cf07a85f9c4986b765b6e918dad902c69ba3424f6cf
-
Filesize
2.0MB
MD59037a40fb3c7b5948345acb3a9401c53
SHA12957d67dc98c7058e9e556f0690f86b22b1dbd5b
SHA25697b33e2b233b779dad59cecb75f8da31f7a197c278118452dffa94bb6e178aa3
SHA512b129e98fc7bc22186562d9b18f9236f1cc44ad8df657135029f4e1c577eb016d982ae7dce18eb06a3d207cf07a85f9c4986b765b6e918dad902c69ba3424f6cf
-
Filesize
2.0MB
MD59037a40fb3c7b5948345acb3a9401c53
SHA12957d67dc98c7058e9e556f0690f86b22b1dbd5b
SHA25697b33e2b233b779dad59cecb75f8da31f7a197c278118452dffa94bb6e178aa3
SHA512b129e98fc7bc22186562d9b18f9236f1cc44ad8df657135029f4e1c577eb016d982ae7dce18eb06a3d207cf07a85f9c4986b765b6e918dad902c69ba3424f6cf
-
Filesize
4.8MB
MD50fc261b54b97df2c0c3e0699b367e0bd
SHA1c732ad05d195fda68e5cc34cb6cb7bfa7e54f0ea
SHA2568fe43723ea28ecaf1bd8496dc27aaf45c6d2818ee4ba77a8945588af73e21e82
SHA512fd39a201420c4a14e6793ac3ebef0743b5bba9ab27274b09d73a8338cb61b850cfc2839e8afa365b6db157fb936887bbf7553bdbdd64c437a6bd9857529510f3
-
Filesize
4.8MB
MD50fc261b54b97df2c0c3e0699b367e0bd
SHA1c732ad05d195fda68e5cc34cb6cb7bfa7e54f0ea
SHA2568fe43723ea28ecaf1bd8496dc27aaf45c6d2818ee4ba77a8945588af73e21e82
SHA512fd39a201420c4a14e6793ac3ebef0743b5bba9ab27274b09d73a8338cb61b850cfc2839e8afa365b6db157fb936887bbf7553bdbdd64c437a6bd9857529510f3