Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

Summer Loa....2.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    1799s
  • max time network
    1497s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/03/2024, 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Summer Loader Valorant V1.2.exe

  • Size

    701KB

  • MD5

    339da3d1b7c0e2f38aeaac8fa11b1159

  • SHA1

    e0e9cd5de260a00fc57089ed649f9b00ad3bf11b

  • SHA256

    1582b8f127bb2a3288ef7b6df1c0320a777bbefc4abc644d5e3b6e17f8a34324

  • SHA512

    f0f1bfc6d16d3213bb3b9d94a3e5fb8f874dde21226902873b8ead8e3d07503ec599411f44f20ffcab3670e62240a609e3e4f2da2c8b36e83e340daa2a4cc497

  • SSDEEP

    6144:57A/MmJMsENIsRctX5rUvQSNj0LZOWM8yucn:5U/MmrrU1Nj0LZOd8yus

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 16 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Summer Loader Valorant V1.2.exe
    "C:\Users\Admin\AppData\Local\Temp\Summer Loader Valorant V1.2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1704
    • C:\Users\Admin\AppData\Local\Temp\Summer Loader Valorant V1.2.exe
      "C:\Users\Admin\AppData\Local\Temp\Summer Loader Valorant V1.2.exe"
      2⤵
        PID:2920
      • C:\Users\Admin\AppData\Local\Temp\Summer Loader Valorant V1.2.exe
        "C:\Users\Admin\AppData\Local\Temp\Summer Loader Valorant V1.2.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2080
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Roaming\Windows.exe"' & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Roaming\Windows.exe"'
            4⤵
            • Creates scheduled task(s)
            PID:1416
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8B87.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:4272
          • C:\Users\Admin\AppData\Roaming\Windows.exe
            "C:\Users\Admin\AppData\Roaming\Windows.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4608
            • C:\Windows\explorer.exe
              "C:\Windows\explorer.exe"
              5⤵
              • Modifies registry class
              PID:2008
            • C:\Users\Admin\AppData\Roaming\Windows.exe
              "C:\Users\Admin\AppData\Roaming\Windows.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1596
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1744

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Summer Loader Valorant V1.2.exe.log
      Filesize

      1KB

      MD5

      7e1ed0055c3eaa0bbc4a29ec1ef15a6a

      SHA1

      765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d

      SHA256

      4c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce

      SHA512

      de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp8B87.tmp.bat
      Filesize

      151B

      MD5

      fa8cd575ff43749b7c3270b06f74c809

      SHA1

      ed9a30ceb741d61415a6cf756ef16db4018932c1

      SHA256

      675c0340a75ba9e1419b463e940621b743b4bf4fd452b66fbf776f2fdf93aca3

      SHA512

      8c830f7c5a9a70135f06f05a4887c31bf382edbce04911cb192805a0ce8fbedb633d1b9e3967a691d6e6605aaa3c95986af10730d9c2d6c854715364581c40a1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows.exe
      Filesize

      701KB

      MD5

      339da3d1b7c0e2f38aeaac8fa11b1159

      SHA1

      e0e9cd5de260a00fc57089ed649f9b00ad3bf11b

      SHA256

      1582b8f127bb2a3288ef7b6df1c0320a777bbefc4abc644d5e3b6e17f8a34324

      SHA512

      f0f1bfc6d16d3213bb3b9d94a3e5fb8f874dde21226902873b8ead8e3d07503ec599411f44f20ffcab3670e62240a609e3e4f2da2c8b36e83e340daa2a4cc497

      Download Submit

    • memory/1596-32-0x0000000005310000-0x0000000005320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1596-31-0x0000000074900000-0x00000000750B1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1596-30-0x0000000005310000-0x0000000005320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1596-28-0x0000000074900000-0x00000000750B1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2080-9-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2080-17-0x0000000074930000-0x00000000750E1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2080-12-0x0000000074930000-0x00000000750E1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4608-23-0x0000000005170000-0x0000000005180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4608-22-0x0000000074900000-0x00000000750B1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4608-29-0x0000000074900000-0x00000000750B1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4860-11-0x0000000074930000-0x00000000750E1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4860-6-0x0000000006480000-0x000000000651C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4860-5-0x0000000005050000-0x000000000505A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4860-0-0x0000000000490000-0x0000000000546000-memory.dmp

      Filesize

      728KB

      Download

    • memory/4860-4-0x00000000050A0000-0x0000000005132000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4860-3-0x00000000056B0000-0x0000000005C56000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4860-2-0x0000000004EF0000-0x0000000004F00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4860-1-0x0000000074930000-0x00000000750E1000-memory.dmp

      Filesize

      7.7MB

      Download