Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

11/08/2024, 13:15

240811-qhjfxs1cnl 7

11/08/2024, 13:11

240811-qe2hbs1bpq 7

11/08/2024, 13:05

240811-qbzvbs1amn 7

11/08/2024, 12:58

240811-p7tshsvcma 7

Analysis

  • max time kernel
    40s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 13:05

General

  • Target

    BorderlessGaming10.0_admin_setup.exe

  • Size

    48.8MB

  • MD5

    d52cda79789a76bc6687e99a206d3ef4

  • SHA1

    3e8e1f1f17bd0c5087e26bf5b6c6f63dd110b01e

  • SHA256

    a15810bb4e49e29191ef909985a569339f0d309d65087aa3cd4f1f16eea162b0

  • SHA512

    7677362141297e7e1eab3bbeee08b6df10ba21de5ccf5232e5fa80dcb097c57f0802534a0a62bbf4a37c0c51c97d2f8cd23e432f011ea717ea8bf9d7aafb1071

  • SSDEEP

    786432:RgyfSSjla4cxOAyl45+TpT+qluCGXmsGjVfKaC93M9RHwDqmOX4Cpw85z9JYlb:RgYSSUY3l3doCGX0uUQems4CpJhJCb

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BorderlessGaming10.0_admin_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\BorderlessGaming10.0_admin_setup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4472
    • C:\Users\Admin\AppData\Local\Temp\is-PAUQU.tmp\BorderlessGaming10.0_admin_setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PAUQU.tmp\BorderlessGaming10.0_admin_setup.tmp" /SL5="$6020E,50295133,805376,C:\Users\Admin\AppData\Local\Temp\BorderlessGaming10.0_admin_setup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Program Files (x86)\Borderless Gaming\BorderlessGaming.exe
        "C:\Program Files (x86)\Borderless Gaming\BorderlessGaming.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Borderless Gaming\Languages.zip

    Filesize

    22KB

    MD5

    ea581fa582ae31b03360b453c6d3e17d

    SHA1

    49d430e8855e313fd34aab8f84bab84613798b9d

    SHA256

    e2f2bf8a5c2727553b08db6468a4cbc2869e661db2d6d69fe9678312ef9644fe

    SHA512

    6431e5af1089de02f13f9d64de1be65ec60146a4566c5766b924345dde8a5517beb480b8329180fe76ff04dd9ac62e5d4b8538d807d30f2d66458ee2f3199627

  • C:\Users\Admin\AppData\Local\Temp\is-PAUQU.tmp\BorderlessGaming10.0_admin_setup.tmp

    Filesize

    3.0MB

    MD5

    a7f253a0b50775b6551e22b4d9a24859

    SHA1

    fd5f8d0375eace3f98e58eefbed312c4a8c1adbd

    SHA256

    78b2450bfe461841b7feb4f099fda5598d468385a548012eb902793f3a927671

    SHA512

    c44812a59ac03373d745c74a84f326d3faf52f25d0a2afa90965806958b288ebde1ce133455fc0bbe70ab2c8dbecf88459ed0cafba7ecb646531e6f8e7831a9f

  • memory/1800-6-0x0000000000400000-0x000000000070E000-memory.dmp

    Filesize

    3.1MB

  • memory/1800-9-0x0000000000400000-0x000000000070E000-memory.dmp

    Filesize

    3.1MB

  • memory/1800-53-0x0000000000400000-0x000000000070E000-memory.dmp

    Filesize

    3.1MB

  • memory/1800-104-0x0000000000400000-0x000000000070E000-memory.dmp

    Filesize

    3.1MB

  • memory/4472-0-0x0000000000400000-0x00000000004D2000-memory.dmp

    Filesize

    840KB

  • memory/4472-2-0x0000000000401000-0x00000000004B7000-memory.dmp

    Filesize

    728KB

  • memory/4472-8-0x0000000000400000-0x00000000004D2000-memory.dmp

    Filesize

    840KB

  • memory/4472-105-0x0000000000400000-0x00000000004D2000-memory.dmp

    Filesize

    840KB