Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

Valorantprv.exe

windows7-x64

9

Valorantprv.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/02/2024, 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Valorantprv.exe

  • Size

    6.1MB

  • MD5

    893a1bcd05d8697d749247ed88f29644

  • SHA1

    3e44e0856c00ea6d07d5a6f767c13c750df9b50c

  • SHA256

    b97266f764abea6bd832262b970de1503408eb7de2e67c0d612651ce6ec96552

  • SHA512

    78e2451d141be3166efa54596d36e2872e2d28222a6ca67c67fec3494f9593f8a8272e3d9099cd973ef6b01540e0da4e489ad2762d873183f635420e437da544

  • SSDEEP

    196608:duAxxfWaEWPQ90x0fsSRpisVv4GmEU9fP0:dteOQ90efDidGEVP0

Score
9/10
evasiontrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Valorantprv.exe
    "C:\Users\Admin\AppData\Local\Temp\Valorantprv.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c mountvol X: /S
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\system32\mountvol.exe
        mountvol X: /S
        3⤵
          PID:1744
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c move X:\EFI\Microsoft\Boot\boot.efi X:\EFI\Microsoft\Boot\bootmgfw.efi
        2⤵
        • Enumerates connected drives
        PID:4664
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:3220
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c del X:\EFI\Boot\startup.nsh
          2⤵
            PID:460
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            2⤵
              PID:3112
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c del X:\EFI\Boot\bootx64.efi
              2⤵
                PID:3036
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                2⤵
                  PID:2944
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c del X:\mapper.efi
                  2⤵
                    PID:452
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c cls
                    2⤵
                      PID:2592
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c move X:\EFI\Boot\bootx64.efi.backup X:\EFI\Boot\bootx64.efi
                      2⤵
                      • Enumerates connected drives
                      PID:2128
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c cls
                      2⤵
                        PID:868

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\484ecf9c.dll
                      Filesize

                      10KB

                      MD5

                      f7003d7b57e8ddff11f488ae449f4bdf

                      SHA1

                      4494811b26d5d8547193bac35257f67a762105c7

                      SHA256

                      56dbc98c0a7b6e8c26f9b9b99919e348c04b776b75baf8aa1c2190c07af0a249

                      SHA512

                      f88001c334114a86e974d2a17d5d36bb0148c937277426aba8675e7a30625169d862d98209c3978bad89276a7c2c8114b14506a6e3f0ec934d88382078b9a3c3

                      Download Submit

                    • memory/2500-17-0x00007FF7796C0000-0x00007FF77A6FD000-memory.dmp

                      Filesize

                      16.2MB

                      Download

                    • memory/2500-21-0x000001BB99690000-0x000001BB996AA000-memory.dmp

                      Filesize

                      104KB

                      Download

                    • memory/2500-4-0x00007FF880030000-0x00007FF880031000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2500-0-0x00007FF7796C0000-0x00007FF77A6FD000-memory.dmp

                      Filesize

                      16.2MB

                      Download

                    • memory/2500-5-0x00007FF8F9E70000-0x00007FF8FA065000-memory.dmp

                      Filesize

                      2.0MB

                      Download

                    • memory/2500-6-0x00007FF7796C0000-0x00007FF77A6FD000-memory.dmp

                      Filesize

                      16.2MB

                      Download

                    • memory/2500-7-0x00007FF7796C0000-0x00007FF77A6FD000-memory.dmp

                      Filesize

                      16.2MB

                      Download

                    • memory/2500-9-0x0000000180000000-0x0000000180022000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2500-2-0x00007FF8F7620000-0x00007FF8F78E9000-memory.dmp

                      Filesize

                      2.8MB

                      Download

                    • memory/2500-16-0x00007FF7796C0000-0x00007FF77A6FD000-memory.dmp

                      Filesize

                      16.2MB

                      Download

                    • memory/2500-3-0x00007FF880000000-0x00007FF880002000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2500-27-0x000001BB995E0000-0x000001BB99668000-memory.dmp

                      Filesize

                      544KB

                      Download

                    • memory/2500-33-0x000001BB9B820000-0x000001BB9BA35000-memory.dmp

                      Filesize

                      2.1MB

                      Download

                    • memory/2500-1-0x00007FF8F7620000-0x00007FF8F78E9000-memory.dmp

                      Filesize

                      2.8MB

                      Download

                    • memory/2500-42-0x00007FF7796C0000-0x00007FF77A6FD000-memory.dmp

                      Filesize

                      16.2MB

                      Download

                    • memory/2500-43-0x00007FF8F7620000-0x00007FF8F78E9000-memory.dmp

                      Filesize

                      2.8MB

                      Download

                    • memory/2500-44-0x00007FF8F9E70000-0x00007FF8FA065000-memory.dmp

                      Filesize

                      2.0MB

                      Download

                    • memory/2500-46-0x00007FF7796C0000-0x00007FF77A6FD000-memory.dmp

                      Filesize

                      16.2MB

                      Download

                    • memory/2500-47-0x00007FF7796C0000-0x00007FF77A6FD000-memory.dmp

                      Filesize

                      16.2MB

                      Download