Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2024, 16:03
Static task
static1
Behavioral task
behavioral1
Sample
Valorantprv.exe
Resource
win7-20240221-en
General
-
Target
Valorantprv.exe
-
Size
6.1MB
-
MD5
893a1bcd05d8697d749247ed88f29644
-
SHA1
3e44e0856c00ea6d07d5a6f767c13c750df9b50c
-
SHA256
b97266f764abea6bd832262b970de1503408eb7de2e67c0d612651ce6ec96552
-
SHA512
78e2451d141be3166efa54596d36e2872e2d28222a6ca67c67fec3494f9593f8a8272e3d9099cd973ef6b01540e0da4e489ad2762d873183f635420e437da544
-
SSDEEP
196608:duAxxfWaEWPQ90x0fsSRpisVv4GmEU9fP0:dteOQ90efDidGEVP0
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Valorantprv.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Valorantprv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Valorantprv.exe -
Loads dropped DLL 1 IoCs
pid Process 2500 Valorantprv.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Valorantprv.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: cmd.exe File opened (read-only) \??\X: cmd.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Valorantprv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Valorantprv.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe 2500 Valorantprv.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2516 2500 Valorantprv.exe 94 PID 2500 wrote to memory of 2516 2500 Valorantprv.exe 94 PID 2516 wrote to memory of 1744 2516 cmd.exe 95 PID 2516 wrote to memory of 1744 2516 cmd.exe 95 PID 2500 wrote to memory of 4664 2500 Valorantprv.exe 96 PID 2500 wrote to memory of 4664 2500 Valorantprv.exe 96 PID 2500 wrote to memory of 3220 2500 Valorantprv.exe 97 PID 2500 wrote to memory of 3220 2500 Valorantprv.exe 97 PID 2500 wrote to memory of 460 2500 Valorantprv.exe 98 PID 2500 wrote to memory of 460 2500 Valorantprv.exe 98 PID 2500 wrote to memory of 3112 2500 Valorantprv.exe 99 PID 2500 wrote to memory of 3112 2500 Valorantprv.exe 99 PID 2500 wrote to memory of 3036 2500 Valorantprv.exe 100 PID 2500 wrote to memory of 3036 2500 Valorantprv.exe 100 PID 2500 wrote to memory of 2944 2500 Valorantprv.exe 101 PID 2500 wrote to memory of 2944 2500 Valorantprv.exe 101 PID 2500 wrote to memory of 452 2500 Valorantprv.exe 102 PID 2500 wrote to memory of 452 2500 Valorantprv.exe 102 PID 2500 wrote to memory of 2592 2500 Valorantprv.exe 103 PID 2500 wrote to memory of 2592 2500 Valorantprv.exe 103 PID 2500 wrote to memory of 2128 2500 Valorantprv.exe 104 PID 2500 wrote to memory of 2128 2500 Valorantprv.exe 104 PID 2500 wrote to memory of 868 2500 Valorantprv.exe 105 PID 2500 wrote to memory of 868 2500 Valorantprv.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\Valorantprv.exe"C:\Users\Admin\AppData\Local\Temp\Valorantprv.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mountvol X: /S2⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\system32\mountvol.exemountvol X: /S3⤵PID:1744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c move X:\EFI\Microsoft\Boot\boot.efi X:\EFI\Microsoft\Boot\bootmgfw.efi2⤵
- Enumerates connected drives
PID:4664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del X:\EFI\Boot\startup.nsh2⤵PID:460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del X:\EFI\Boot\bootx64.efi2⤵PID:3036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del X:\mapper.efi2⤵PID:452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c move X:\EFI\Boot\bootx64.efi.backup X:\EFI\Boot\bootx64.efi2⤵
- Enumerates connected drives
PID:2128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5f7003d7b57e8ddff11f488ae449f4bdf
SHA14494811b26d5d8547193bac35257f67a762105c7
SHA25656dbc98c0a7b6e8c26f9b9b99919e348c04b776b75baf8aa1c2190c07af0a249
SHA512f88001c334114a86e974d2a17d5d36bb0148c937277426aba8675e7a30625169d862d98209c3978bad89276a7c2c8114b14506a6e3f0ec934d88382078b9a3c3