e6de6cab2e7845b05ce76a32566dc5c023c1029ce2956a29f55bf5254fc0693e

Resubmissions

07/10/2022, 17:55

221007-whfypadcan 8

07/10/2022, 17:51

221007-wfdqjsdcaj 8

07/10/2022, 17:47

221007-wdcqgadac8 8

07/10/2022, 17:43

221007-waz2ladab8 8

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2022, 17:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.exe
Size

4.4MB
MD5

cdc432222c4365d28e17521565387064
SHA1

41e716aba50ee0cd10db20febc8f3a160305e3ac
SHA256

e6de6cab2e7845b05ce76a32566dc5c023c1029ce2956a29f55bf5254fc0693e
SHA512

faad00b7f3e4984828e6d64fff502672c823a74d56677ff4f70481ef561452804b1ea4d3025287a9aad16763c95a9ff0f119c9b78d5dc1a6d59e79b88457013c
SSDEEP

98304:cSiF6hoXOWZ3lsuUxqxgWphviLx137O5M:zoXOM1ughC7SM

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
716	Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.tmp

Loads dropped DLL 3 IoCs

pid	Process
716	Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.tmp
716	Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.tmp
716	Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 716	4964	Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.exe	82
PID 4964 wrote to memory of 716	4964	Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.exe	82
PID 4964 wrote to memory of 716	4964	Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.exe	82

C:\Users\Admin\AppData\Local\Temp\Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.exe
"C:\Users\Admin\AppData\Local\Temp\Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\is-9IM4G.tmp\Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9IM4G.tmp\Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.tmp" /SL5="$8006A,3586129,1235456,C:\Users\Admin\AppData\Local\Temp\Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9IM4G.tmp\Valorant Skin Changer - Linkvertise Downloader_K-pfIt1.tmp

Filesize
3.4MB

MD5
06e087e48e6d73efd7f353855aacb570

SHA1
679e2a92aa2c8a09fa3b615d56e48667ff8bb4f8

SHA256
9a0815e309db4d6feebf90ce5e91cc78892b2016dcbe07fd436afd655477320d

SHA512
05e4fe70aa104a4edbbdddf5e7396446d67123e2865c3a02c414a39c1ee6dc34aba6fa6f587435755a9a90ade1b7eccefe0e76244563689e0971a024049086c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TUTGL.tmp\AppUtils.dll

Filesize
1.8MB

MD5
43ce6d593abd5141a3139603f352ae05

SHA1
a97c75e23d275dddfde15ef5fdf3ff3253c0992c

SHA256
94e874f2702ea6be50e7d74864b66e7f763449c3db237803f3fad6adfd64ed3d

SHA512
bfc527529e5f73ba190dfc5bd043175c7e2ae963b665d6d39421c29e025020f1d593dc88b7bee33d86ef6b4f7a4c5e1a0339df4e99cab6849a275d1dda9f439f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TUTGL.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TUTGL.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
memory/716-140-0x0000000003970000-0x000000000397F000-memory.dmp

Filesize
60KB

Download
memory/4964-132-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/4964-136-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download