Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
7Ephinea_PS...er.exe
windows10-2004-x64
3Microsoft....re.dll
windows10-2004-x64
1Microsoft....pf.dll
windows10-2004-x64
1PsoBB.exe
windows10-2004-x64
6WebView2Loader.dll
windows10-2004-x64
3data/ogg/HEAD_ON.ps1
windows10-2004-x64
3dgVoodoo_d3d9.dll
windows10-2004-x64
1dxvk_d3d9.dll
windows10-2004-x64
1ephinea.dll
windows10-2004-x64
3online.exe
windows10-2004-x64
1online_compat.exe
windows10-2004-x64
1online_win7.exe
windows10-2004-x64
1option.exe
windows10-2004-x64
1patchclient.dll
windows10-2004-x64
8uninstall.exe
windows10-2004-x64
7Analysis
-
max time kernel
1797s -
max time network
1751s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 16:39
Static task
static1
Behavioral task
behavioral1
Sample
Ephinea_PSOBB_Installer.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
Microsoft.Web.WebView2.Core.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Microsoft.Web.WebView2.Wpf.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
PsoBB.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
WebView2Loader.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral6
Sample
data/ogg/HEAD_ON.ps1
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
dgVoodoo_d3d9.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
dxvk_d3d9.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
ephinea.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
online.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
online_compat.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
online_win7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
option.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
patchclient.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
uninstall.exe
Resource
win10v2004-20240611-en
General
-
Target
PsoBB.exe
-
Size
6.7MB
-
MD5
e89d53b6c79aca33973e2129586a2ae7
-
SHA1
d345fe94c772d7ad6fb49f416ac6e081ede8a834
-
SHA256
f4d4bd463c07fec2542452735deb5237641634100d9223d2d0f0ae4000315cc0
-
SHA512
0f9d6ffff5d1077f703a50510373f7fbbe4270d29a3bd26824c6e8fab3929ad8b7d5508a8cafc283fbe83cc1b559a29571d2de2d383f52c09eed0b1b2543ca20
-
SSDEEP
196608:UxzBce4N3RmOl7G9ETGD78QelnZmrlMcja333m333qet33333323333Uv:Uly3RmOl7G9ETGD78Qelnsla333m333z
Malware Config
Signatures
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3672 PsoBB.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{FE9E7402-650D-45AB-9031-0D1B3F90C0F9} svchost.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3672 PsoBB.exe 3672 PsoBB.exe 3672 PsoBB.exe 3672 PsoBB.exe 3672 PsoBB.exe 3672 PsoBB.exe 3672 PsoBB.exe 3672 PsoBB.exe 3672 PsoBB.exe 3672 PsoBB.exe 3672 PsoBB.exe 3672 PsoBB.exe 3672 PsoBB.exe 3672 PsoBB.exe 3672 PsoBB.exe 3672 PsoBB.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3672 PsoBB.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3412 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3412 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3672 PsoBB.exe 3672 PsoBB.exe 2720 OpenWith.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PsoBB.exe"C:\Users\Admin\AppData\Local\Temp\PsoBB.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3672
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4916
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x45c 0x4641⤵
- Suspicious use of AdjustPrivilegeToken
PID:3412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162B
MD58b291eb63fd28ad556d4d00c0bb8d586
SHA112e2fe44701329d83cb19d5438bab590dd409708
SHA256953e4a450003d00f0fa5094e13c370f3e9f0862125040ab53dbe2cf17dd1bcde
SHA512af1f1945f60406982197f316dcff546de5a4e942c376fce9a6740c9225070d47d6bc58247e0bd082a811cfce5ec72b7df122084c06d587c309ddea1e55ceb404
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c