Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
11/08/2024, 13:15
240811-qhjfxs1cnl 711/08/2024, 13:11
240811-qe2hbs1bpq 711/08/2024, 13:05
240811-qbzvbs1amn 711/08/2024, 12:58
240811-p7tshsvcma 7Analysis
-
max time kernel
40s -
max time network
40s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 13:05
Static task
static1
Behavioral task
behavioral1
Sample
BorderlessGaming10.0_admin_setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
BorderlessGaming10.0_admin_setup.exe
Resource
win10v2004-20240802-en
General
-
Target
BorderlessGaming10.0_admin_setup.exe
-
Size
48.8MB
-
MD5
d52cda79789a76bc6687e99a206d3ef4
-
SHA1
3e8e1f1f17bd0c5087e26bf5b6c6f63dd110b01e
-
SHA256
a15810bb4e49e29191ef909985a569339f0d309d65087aa3cd4f1f16eea162b0
-
SHA512
7677362141297e7e1eab3bbeee08b6df10ba21de5ccf5232e5fa80dcb097c57f0802534a0a62bbf4a37c0c51c97d2f8cd23e432f011ea717ea8bf9d7aafb1071
-
SSDEEP
786432:RgyfSSjla4cxOAyl45+TpT+qluCGXmsGjVfKaC93M9RHwDqmOX4Cpw85z9JYlb:RgYSSUY3l3doCGX0uUQems4CpJhJCb
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation BorderlessGaming.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation BorderlessGaming10.0_admin_setup.tmp -
Executes dropped EXE 2 IoCs
pid Process 1800 BorderlessGaming10.0_admin_setup.tmp 4556 BorderlessGaming.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 30 raw.githubusercontent.com 31 raw.githubusercontent.com -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\Borderless Gaming\unins000.dat BorderlessGaming10.0_admin_setup.tmp File created C:\Program Files (x86)\Borderless Gaming\is-870RD.tmp BorderlessGaming10.0_admin_setup.tmp File opened for modification C:\Program Files (x86)\Borderless Gaming\unins000.dat BorderlessGaming10.0_admin_setup.tmp File created C:\Program Files (x86)\Borderless Gaming\is-BI6Q7.tmp BorderlessGaming10.0_admin_setup.tmp File created C:\Program Files (x86)\Borderless Gaming\is-N731A.tmp BorderlessGaming10.0_admin_setup.tmp File created C:\Program Files (x86)\Borderless Gaming\is-B6060.tmp BorderlessGaming10.0_admin_setup.tmp File opened for modification C:\Program Files (x86)\Borderless Gaming\BorderlessGaming.exe BorderlessGaming10.0_admin_setup.tmp File created C:\Program Files (x86)\Borderless Gaming\is-J70M1.tmp BorderlessGaming10.0_admin_setup.tmp File created C:\Program Files (x86)\Borderless Gaming\is-4ESNA.tmp BorderlessGaming10.0_admin_setup.tmp File created C:\Program Files (x86)\Borderless Gaming\is-EVGAN.tmp BorderlessGaming10.0_admin_setup.tmp File created C:\Program Files (x86)\Borderless Gaming\is-232OR.tmp BorderlessGaming10.0_admin_setup.tmp File created C:\Program Files (x86)\Borderless Gaming\is-KQA3M.tmp BorderlessGaming10.0_admin_setup.tmp File created C:\Program Files (x86)\Borderless Gaming\is-486LP.tmp BorderlessGaming10.0_admin_setup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BorderlessGaming10.0_admin_setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BorderlessGaming10.0_admin_setup.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1800 BorderlessGaming10.0_admin_setup.tmp 1800 BorderlessGaming10.0_admin_setup.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4556 BorderlessGaming.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1800 BorderlessGaming10.0_admin_setup.tmp 4556 BorderlessGaming.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 4556 BorderlessGaming.exe 4556 BorderlessGaming.exe 4556 BorderlessGaming.exe 4556 BorderlessGaming.exe 4556 BorderlessGaming.exe 4556 BorderlessGaming.exe 4556 BorderlessGaming.exe 4556 BorderlessGaming.exe 4556 BorderlessGaming.exe 4556 BorderlessGaming.exe 4556 BorderlessGaming.exe 4556 BorderlessGaming.exe 4556 BorderlessGaming.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4472 wrote to memory of 1800 4472 BorderlessGaming10.0_admin_setup.exe 87 PID 4472 wrote to memory of 1800 4472 BorderlessGaming10.0_admin_setup.exe 87 PID 4472 wrote to memory of 1800 4472 BorderlessGaming10.0_admin_setup.exe 87 PID 1800 wrote to memory of 4556 1800 BorderlessGaming10.0_admin_setup.tmp 98 PID 1800 wrote to memory of 4556 1800 BorderlessGaming10.0_admin_setup.tmp 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\BorderlessGaming10.0_admin_setup.exe"C:\Users\Admin\AppData\Local\Temp\BorderlessGaming10.0_admin_setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\is-PAUQU.tmp\BorderlessGaming10.0_admin_setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-PAUQU.tmp\BorderlessGaming10.0_admin_setup.tmp" /SL5="$6020E,50295133,805376,C:\Users\Admin\AppData\Local\Temp\BorderlessGaming10.0_admin_setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Program Files (x86)\Borderless Gaming\BorderlessGaming.exe"C:\Program Files (x86)\Borderless Gaming\BorderlessGaming.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4556
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD5ea581fa582ae31b03360b453c6d3e17d
SHA149d430e8855e313fd34aab8f84bab84613798b9d
SHA256e2f2bf8a5c2727553b08db6468a4cbc2869e661db2d6d69fe9678312ef9644fe
SHA5126431e5af1089de02f13f9d64de1be65ec60146a4566c5766b924345dde8a5517beb480b8329180fe76ff04dd9ac62e5d4b8538d807d30f2d66458ee2f3199627
-
Filesize
3.0MB
MD5a7f253a0b50775b6551e22b4d9a24859
SHA1fd5f8d0375eace3f98e58eefbed312c4a8c1adbd
SHA25678b2450bfe461841b7feb4f099fda5598d468385a548012eb902793f3a927671
SHA512c44812a59ac03373d745c74a84f326d3faf52f25d0a2afa90965806958b288ebde1ce133455fc0bbe70ab2c8dbecf88459ed0cafba7ecb646531e6f8e7831a9f