Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22/02/2024, 16:03
Static task
static1
Behavioral task
behavioral1
Sample
Valorantprv.exe
Resource
win7-20240221-en
General
-
Target
Valorantprv.exe
-
Size
6.1MB
-
MD5
893a1bcd05d8697d749247ed88f29644
-
SHA1
3e44e0856c00ea6d07d5a6f767c13c750df9b50c
-
SHA256
b97266f764abea6bd832262b970de1503408eb7de2e67c0d612651ce6ec96552
-
SHA512
78e2451d141be3166efa54596d36e2872e2d28222a6ca67c67fec3494f9593f8a8272e3d9099cd973ef6b01540e0da4e489ad2762d873183f635420e437da544
-
SSDEEP
196608:duAxxfWaEWPQ90x0fsSRpisVv4GmEU9fP0:dteOQ90efDidGEVP0
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Valorantprv.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Valorantprv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Valorantprv.exe -
Loads dropped DLL 1 IoCs
pid Process 2156 Valorantprv.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Valorantprv.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: cmd.exe File opened (read-only) \??\X: cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe 2156 Valorantprv.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2620 2156 Valorantprv.exe 29 PID 2156 wrote to memory of 2620 2156 Valorantprv.exe 29 PID 2156 wrote to memory of 2620 2156 Valorantprv.exe 29 PID 2620 wrote to memory of 2544 2620 cmd.exe 30 PID 2620 wrote to memory of 2544 2620 cmd.exe 30 PID 2620 wrote to memory of 2544 2620 cmd.exe 30 PID 2156 wrote to memory of 2528 2156 Valorantprv.exe 31 PID 2156 wrote to memory of 2528 2156 Valorantprv.exe 31 PID 2156 wrote to memory of 2528 2156 Valorantprv.exe 31 PID 2156 wrote to memory of 2816 2156 Valorantprv.exe 32 PID 2156 wrote to memory of 2816 2156 Valorantprv.exe 32 PID 2156 wrote to memory of 2816 2156 Valorantprv.exe 32 PID 2156 wrote to memory of 2520 2156 Valorantprv.exe 33 PID 2156 wrote to memory of 2520 2156 Valorantprv.exe 33 PID 2156 wrote to memory of 2520 2156 Valorantprv.exe 33 PID 2156 wrote to memory of 2596 2156 Valorantprv.exe 34 PID 2156 wrote to memory of 2596 2156 Valorantprv.exe 34 PID 2156 wrote to memory of 2596 2156 Valorantprv.exe 34 PID 2156 wrote to memory of 2400 2156 Valorantprv.exe 35 PID 2156 wrote to memory of 2400 2156 Valorantprv.exe 35 PID 2156 wrote to memory of 2400 2156 Valorantprv.exe 35 PID 2156 wrote to memory of 2576 2156 Valorantprv.exe 36 PID 2156 wrote to memory of 2576 2156 Valorantprv.exe 36 PID 2156 wrote to memory of 2576 2156 Valorantprv.exe 36 PID 2156 wrote to memory of 2812 2156 Valorantprv.exe 37 PID 2156 wrote to memory of 2812 2156 Valorantprv.exe 37 PID 2156 wrote to memory of 2812 2156 Valorantprv.exe 37 PID 2156 wrote to memory of 2548 2156 Valorantprv.exe 38 PID 2156 wrote to memory of 2548 2156 Valorantprv.exe 38 PID 2156 wrote to memory of 2548 2156 Valorantprv.exe 38 PID 2156 wrote to memory of 2612 2156 Valorantprv.exe 39 PID 2156 wrote to memory of 2612 2156 Valorantprv.exe 39 PID 2156 wrote to memory of 2612 2156 Valorantprv.exe 39 PID 2156 wrote to memory of 2256 2156 Valorantprv.exe 40 PID 2156 wrote to memory of 2256 2156 Valorantprv.exe 40 PID 2156 wrote to memory of 2256 2156 Valorantprv.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\Valorantprv.exe"C:\Users\Admin\AppData\Local\Temp\Valorantprv.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mountvol X: /S2⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\mountvol.exemountvol X: /S3⤵PID:2544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c move X:\EFI\Microsoft\Boot\boot.efi X:\EFI\Microsoft\Boot\bootmgfw.efi2⤵
- Enumerates connected drives
PID:2528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del X:\EFI\Boot\startup.nsh2⤵PID:2520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del X:\EFI\Boot\bootx64.efi2⤵PID:2400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del X:\mapper.efi2⤵PID:2812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c move X:\EFI\Boot\bootx64.efi.backup X:\EFI\Boot\bootx64.efi2⤵
- Enumerates connected drives
PID:2612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2256
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5f7003d7b57e8ddff11f488ae449f4bdf
SHA14494811b26d5d8547193bac35257f67a762105c7
SHA25656dbc98c0a7b6e8c26f9b9b99919e348c04b776b75baf8aa1c2190c07af0a249
SHA512f88001c334114a86e974d2a17d5d36bb0148c937277426aba8675e7a30625169d862d98209c3978bad89276a7c2c8114b14506a6e3f0ec934d88382078b9a3c3