Overview
overview
8Static
static
Spoofer_Va...es.url
windows7-x64
1Spoofer_Va...es.url
windows10-2004-x64
1Spoofer_Va...ck.bat
windows7-x64
1Spoofer_Va...ck.bat
windows10-2004-x64
1Spoofer_Va...er.exe
windows7-x64
1Spoofer_Va...er.exe
windows10-2004-x64
1Spoofer_Va.../s.exe
windows7-x64
Spoofer_Va.../s.exe
windows10-2004-x64
Spoofer_Va...of.bat
windows7-x64
8Spoofer_Va...of.bat
windows10-2004-x64
8Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-09-2022 20:44
Static task
static1
Behavioral task
behavioral1
Sample
Spoofer_Valorant_CHEATER.FUN_/Free Hacks for Games.url
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
Spoofer_Valorant_CHEATER.FUN_/Free Hacks for Games.url
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Spoofer_Valorant_CHEATER.FUN_/_Serial_check.bat
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral4
Sample
Spoofer_Valorant_CHEATER.FUN_/_Serial_check.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Spoofer_Valorant_CHEATER.FUN_/kdmapper.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
Spoofer_Valorant_CHEATER.FUN_/kdmapper.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Spoofer_Valorant_CHEATER.FUN_/s.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
Spoofer_Valorant_CHEATER.FUN_/s.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Spoofer_Valorant_CHEATER.FUN_/spoof.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
Spoofer_Valorant_CHEATER.FUN_/spoof.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
Spoofer_Valorant_CHEATER.FUN_/spoof.bat
-
Size
403B
-
MD5
38b51184c9cd21a76ae49435485051c1
-
SHA1
2a35f39dc6620b84b88132100715d5e7e3c19fb5
-
SHA256
16e7770ef24530977e9717229940770fd3f8b9934ab09ccd6bbc1f61100caa4e
-
SHA512
138390fd4568a0097ab004b4851bb5cf391d00f94f162af75937ca6ea68e93f21e178f6190d5d2dfa9a6bf6f15480c8361545db8295cdf9714fb5e8a0c97b2fb
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BxsNmpdXueYqsMyTLzhIQPdMP\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\BxsNmpdXueYqsMyTLzhIQPdMP" kdmapper.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2036 kdmapper.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeLoadDriverPrivilege 2036 kdmapper.exe Token: SeIncreaseQuotaPrivilege 1624 WMIC.exe Token: SeSecurityPrivilege 1624 WMIC.exe Token: SeTakeOwnershipPrivilege 1624 WMIC.exe Token: SeLoadDriverPrivilege 1624 WMIC.exe Token: SeSystemProfilePrivilege 1624 WMIC.exe Token: SeSystemtimePrivilege 1624 WMIC.exe Token: SeProfSingleProcessPrivilege 1624 WMIC.exe Token: SeIncBasePriorityPrivilege 1624 WMIC.exe Token: SeCreatePagefilePrivilege 1624 WMIC.exe Token: SeBackupPrivilege 1624 WMIC.exe Token: SeRestorePrivilege 1624 WMIC.exe Token: SeShutdownPrivilege 1624 WMIC.exe Token: SeDebugPrivilege 1624 WMIC.exe Token: SeSystemEnvironmentPrivilege 1624 WMIC.exe Token: SeRemoteShutdownPrivilege 1624 WMIC.exe Token: SeUndockPrivilege 1624 WMIC.exe Token: SeManageVolumePrivilege 1624 WMIC.exe Token: 33 1624 WMIC.exe Token: 34 1624 WMIC.exe Token: 35 1624 WMIC.exe Token: SeIncreaseQuotaPrivilege 1624 WMIC.exe Token: SeSecurityPrivilege 1624 WMIC.exe Token: SeTakeOwnershipPrivilege 1624 WMIC.exe Token: SeLoadDriverPrivilege 1624 WMIC.exe Token: SeSystemProfilePrivilege 1624 WMIC.exe Token: SeSystemtimePrivilege 1624 WMIC.exe Token: SeProfSingleProcessPrivilege 1624 WMIC.exe Token: SeIncBasePriorityPrivilege 1624 WMIC.exe Token: SeCreatePagefilePrivilege 1624 WMIC.exe Token: SeBackupPrivilege 1624 WMIC.exe Token: SeRestorePrivilege 1624 WMIC.exe Token: SeShutdownPrivilege 1624 WMIC.exe Token: SeDebugPrivilege 1624 WMIC.exe Token: SeSystemEnvironmentPrivilege 1624 WMIC.exe Token: SeRemoteShutdownPrivilege 1624 WMIC.exe Token: SeUndockPrivilege 1624 WMIC.exe Token: SeManageVolumePrivilege 1624 WMIC.exe Token: 33 1624 WMIC.exe Token: 34 1624 WMIC.exe Token: 35 1624 WMIC.exe Token: SeIncreaseQuotaPrivilege 1396 WMIC.exe Token: SeSecurityPrivilege 1396 WMIC.exe Token: SeTakeOwnershipPrivilege 1396 WMIC.exe Token: SeLoadDriverPrivilege 1396 WMIC.exe Token: SeSystemProfilePrivilege 1396 WMIC.exe Token: SeSystemtimePrivilege 1396 WMIC.exe Token: SeProfSingleProcessPrivilege 1396 WMIC.exe Token: SeIncBasePriorityPrivilege 1396 WMIC.exe Token: SeCreatePagefilePrivilege 1396 WMIC.exe Token: SeBackupPrivilege 1396 WMIC.exe Token: SeRestorePrivilege 1396 WMIC.exe Token: SeShutdownPrivilege 1396 WMIC.exe Token: SeDebugPrivilege 1396 WMIC.exe Token: SeSystemEnvironmentPrivilege 1396 WMIC.exe Token: SeRemoteShutdownPrivilege 1396 WMIC.exe Token: SeUndockPrivilege 1396 WMIC.exe Token: SeManageVolumePrivilege 1396 WMIC.exe Token: 33 1396 WMIC.exe Token: 34 1396 WMIC.exe Token: 35 1396 WMIC.exe Token: SeIncreaseQuotaPrivilege 1396 WMIC.exe Token: SeSecurityPrivilege 1396 WMIC.exe Token: SeTakeOwnershipPrivilege 1396 WMIC.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1972 wrote to memory of 2036 1972 cmd.exe 29 PID 1972 wrote to memory of 2036 1972 cmd.exe 29 PID 1972 wrote to memory of 2036 1972 cmd.exe 29 PID 1972 wrote to memory of 1624 1972 cmd.exe 30 PID 1972 wrote to memory of 1624 1972 cmd.exe 30 PID 1972 wrote to memory of 1624 1972 cmd.exe 30 PID 1972 wrote to memory of 1396 1972 cmd.exe 32 PID 1972 wrote to memory of 1396 1972 cmd.exe 32 PID 1972 wrote to memory of 1396 1972 cmd.exe 32 PID 1972 wrote to memory of 2016 1972 cmd.exe 33 PID 1972 wrote to memory of 2016 1972 cmd.exe 33 PID 1972 wrote to memory of 2016 1972 cmd.exe 33 PID 1972 wrote to memory of 864 1972 cmd.exe 34 PID 1972 wrote to memory of 864 1972 cmd.exe 34 PID 1972 wrote to memory of 864 1972 cmd.exe 34 PID 1972 wrote to memory of 752 1972 cmd.exe 36 PID 1972 wrote to memory of 752 1972 cmd.exe 36 PID 1972 wrote to memory of 752 1972 cmd.exe 36 PID 1972 wrote to memory of 1976 1972 cmd.exe 37 PID 1972 wrote to memory of 1976 1972 cmd.exe 37 PID 1972 wrote to memory of 1976 1972 cmd.exe 37
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Spoofer_Valorant_CHEATER.FUN_\spoof.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\Spoofer_Valorant_CHEATER.FUN_\kdmapper.exekdmapper.exe s.sys2⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\System32\Wbem\WMIC.exewmic memorychip get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber2⤵PID:2016
-
-
C:\Windows\system32\getmac.exegetmac /NH2⤵PID:864
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get ProcessorId,name2⤵PID:752
-
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid,name,version2⤵PID:1976
-