c946298fbdee04f337615a247a5035d08fb5afba83d2e851f64a601e094e7ac8

General

Target

Valorant Checker by Xinax.exe
Size

2.0MB
MD5

91061e34a8dbc6156e3fa75dc322e4b0
SHA1

628a4c88f0a3823e07ae055df36bae6b36049419
SHA256

68e98c4079707047d46a02729663551e5eafb34e76bccd018d0beee25dc70ed0
SHA512

6029bed5c4486d0ff4bc348eb924cc9901d57d6781af818b5add937a55fc5cc9acfdc1a7dd01021de13d0e685d3f71bc865730fcd2f47e92797de29413aaaf22
SSDEEP

49152:IBJgkNXymHeCn46zWhYhJseQLTKNWAGM9SwE:yWkxddnK+OiUAGMw

Score

7^/10

Malware Config

Signatures

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x00030000000227ba-139.dat	net_reactor
behavioral2/files/0x00030000000227ba-145.dat	net_reactor
behavioral2/files/0x00030000000227ba-146.dat	net_reactor
behavioral2/memory/4220-147-0x0000000000B20000-0x0000000000CF6000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Valorant Checker by Xinax.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Valorant Checker by Xinax.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost64.exe	Valorant_Checker by Xinax.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost64.exe	Valorant_Checker by Xinax.exe

Executes dropped EXE 2 IoCs

pid	Process
4220	Valorant Checker by Xinax.exe
380	Valorant_Checker by Xinax.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4836	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4924	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4220	Valorant Checker by Xinax.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4220	Valorant Checker by Xinax.exe
Token: SeDebugPrivilege	4924	taskkill.exe
Token: SeDebugPrivilege	380	Valorant_Checker by Xinax.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 4220	628	Valorant Checker by Xinax.exe	99
PID 628 wrote to memory of 4220	628	Valorant Checker by Xinax.exe	99
PID 628 wrote to memory of 4220	628	Valorant Checker by Xinax.exe	99
PID 4220 wrote to memory of 4920	4220	Valorant Checker by Xinax.exe	102
PID 4220 wrote to memory of 4920	4220	Valorant Checker by Xinax.exe	102
PID 4220 wrote to memory of 4920	4220	Valorant Checker by Xinax.exe	102
PID 4920 wrote to memory of 2584	4920	cmd.exe	104
PID 4920 wrote to memory of 2584	4920	cmd.exe	104
PID 4920 wrote to memory of 2584	4920	cmd.exe	104
PID 4920 wrote to memory of 4924	4920	cmd.exe	105
PID 4920 wrote to memory of 4924	4920	cmd.exe	105
PID 4920 wrote to memory of 4924	4920	cmd.exe	105
PID 4920 wrote to memory of 4836	4920	cmd.exe	106
PID 4920 wrote to memory of 4836	4920	cmd.exe	106
PID 4920 wrote to memory of 4836	4920	cmd.exe	106
PID 628 wrote to memory of 380	628	Valorant Checker by Xinax.exe	107
PID 628 wrote to memory of 380	628	Valorant Checker by Xinax.exe	107

C:\Users\Admin\AppData\Local\Temp\Valorant Checker by Xinax.exe
"C:\Users\Admin\AppData\Local\Temp\Valorant Checker by Xinax.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Valorant Checker by Xinax.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Valorant Checker by Xinax.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1CCF.tmp.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\taskkill.exe
      TaskKill /F /IM 4220
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4924
  - - C:\Windows\SysWOW64\timeout.exe
      Timeout /T 2 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4836
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Valorant_Checker by Xinax.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Valorant_Checker by Xinax.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Valorant Checker by Xinax.exe

Filesize
1.8MB

MD5
13c6d746798d94c90d5a96cf72f61a6b

SHA1
18624a712489d513855bb7f5c482af2ce5165aa5

SHA256
63d9faf84349fd5984937713409c3afc6c3150b6a0d18909031e1022b45fa28a

SHA512
034d653db4ef1167c29170795bc7482f667c9b8b0cb8f63e211631239c666acf650d20976bfe4ffbb550b8fbf7c704f3fd8e23bb5a666122fe88398f1fb1b071

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Valorant Checker by Xinax.exe

Filesize
1.8MB

MD5
13c6d746798d94c90d5a96cf72f61a6b

SHA1
18624a712489d513855bb7f5c482af2ce5165aa5

SHA256
63d9faf84349fd5984937713409c3afc6c3150b6a0d18909031e1022b45fa28a

SHA512
034d653db4ef1167c29170795bc7482f667c9b8b0cb8f63e211631239c666acf650d20976bfe4ffbb550b8fbf7c704f3fd8e23bb5a666122fe88398f1fb1b071

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Valorant Checker by Xinax.exe

Filesize
1.8MB

MD5
13c6d746798d94c90d5a96cf72f61a6b

SHA1
18624a712489d513855bb7f5c482af2ce5165aa5

SHA256
63d9faf84349fd5984937713409c3afc6c3150b6a0d18909031e1022b45fa28a

SHA512
034d653db4ef1167c29170795bc7482f667c9b8b0cb8f63e211631239c666acf650d20976bfe4ffbb550b8fbf7c704f3fd8e23bb5a666122fe88398f1fb1b071

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Valorant_Checker by Xinax.exe

Filesize
135KB

MD5
b03d6a21639e1221fba85ffe3d6355e7

SHA1
3f1e46f1b833d5598ceeaad293feec837fc4da57

SHA256
e809f5a609f862e6352337569249959867dea6a55ab3552f32d385e9c921ae0b

SHA512
e8715b273a90dd53557212685519297cb211a72400b52ff0d33141f0f6aeeb9e7c2bd4067069d132e532cfdee138d1444cd323fb6fdb8f6fdbdcefe366ad99f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Valorant_Checker by Xinax.exe

Filesize
135KB

MD5
b03d6a21639e1221fba85ffe3d6355e7

SHA1
3f1e46f1b833d5598ceeaad293feec837fc4da57

SHA256
e809f5a609f862e6352337569249959867dea6a55ab3552f32d385e9c921ae0b

SHA512
e8715b273a90dd53557212685519297cb211a72400b52ff0d33141f0f6aeeb9e7c2bd4067069d132e532cfdee138d1444cd323fb6fdb8f6fdbdcefe366ad99f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Valorant_Checker by Xinax.exe

Filesize
135KB

MD5
b03d6a21639e1221fba85ffe3d6355e7

SHA1
3f1e46f1b833d5598ceeaad293feec837fc4da57

SHA256
e809f5a609f862e6352337569249959867dea6a55ab3552f32d385e9c921ae0b

SHA512
e8715b273a90dd53557212685519297cb211a72400b52ff0d33141f0f6aeeb9e7c2bd4067069d132e532cfdee138d1444cd323fb6fdb8f6fdbdcefe366ad99f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1CCF.tmp.bat

Filesize
57B

MD5
8704065f475964288d3cd0b9e8059bbd

SHA1
b40a55c138e592352b430e4eac17ea3b3645de50

SHA256
d9d2aa2c37da935de2e97a703951c78b98c9491f94db69b83053f02aa7a141b4

SHA512
df03be0c82da09c9f1ec1e7766e193111aa464ba5673759c7d4f9b2c2fe91be990fc234a0487e61f7cb95999ecf5da7f97b2b90953b38e9c929bd9603f5871a4

Download Submit
memory/380-166-0x00000188FD3B0000-0x00000188FD3D8000-memory.dmp

Filesize
160KB

Download
memory/380-168-0x0000018899960000-0x0000018899970000-memory.dmp

Filesize
64KB

Download
memory/380-169-0x0000018899610000-0x0000018899611000-memory.dmp

Filesize
4KB

Download
memory/380-170-0x0000018899960000-0x0000018899970000-memory.dmp

Filesize
64KB

Download
memory/4220-149-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/4220-148-0x0000000003380000-0x00000000033E6000-memory.dmp

Filesize
408KB

Download
memory/4220-147-0x0000000000B20000-0x0000000000CF6000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing