Overview

overview

7

Static

static

1

Install VALORANT.exe

windows7-x64

7

Install VALORANT.exe

windows10-2004-x64

Analysis

  • max time kernel
    151s
  • max time network
    101s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    31-03-2023 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Install VALORANT.exe

  • Size

    66.1MB

  • MD5

    fa9763834a8a3f39afbbcbf775b71ea8

  • SHA1

    2a88d1871f25c475d5e670c266eb2acc9dc5e7bb

  • SHA256

    0bdc1bf1724e6e265599895c5ef0f0104e4cbb2f8c373abba5ed2111ba77b8af

  • SHA512

    4628cacb7fe7dfe01fdc04bd7c024c90df8a2e42ab54a534316ffbf65c6e6fe13806fb83fbba6dcd664a6daaff18825ee493cb3ed2fa9c3b4f8b9c8ca979e9d5

  • SSDEEP

    1572864:InRkzKSp8K0UNl/Ywrt9E7lzPF5KBBhDIVIbjUp1xDn:vNp8KnAtqBBhDIVNjr

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Install VALORANT.exe
    "C:\Users\Admin\AppData\Local\Temp\Install VALORANT.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Users\Admin\AppData\Local\Temp\Install VALORANT.exe
      "C:\Users\Admin\AppData\Local\Temp\Install VALORANT.exe" --agent --riotclient-app-port=49164 --riotclient-auth-token=9KAtAudOGOnXxXdDPtgNmA --app-root=C:/Users/Admin/AppData/Local/Temp "--data-root=C:/ProgramData/Riot Games/Metadata" "--update-root=C:/ProgramData/Riot Games/Metadata/Install VALORANT/Update" "--log-root=C:/Users/Admin/AppData/Local/Riot Games/Install VALORANT/Logs" "--user-data-root=C:/Users/Admin/AppData/Local/Riot Games/Install VALORANT" --session-id=f4eb53d7-5870-e34d-85ba-7532955c1e07
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 400
        3⤵
        • Program crash
        PID:688
    • C:\Riot Games\Riot Client\RiotClientServices.exe
      "C:/Riot Games/Riot Client/RiotClientServices.exe" --launch-product=valorant --launch-patchline=live --force-auto-patch --shard=valorant:live:eu --locale=en_US --session-id=f4eb53d7-5870-e34d-85ba-7532955c1e07 --install-flow
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1252
  • C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ReadRepair.aif"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:848
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Riot Games\Metadata\Riot Client\Riot Client.db
    Filesize

    352KB

    MD5

    0c079a78acbffa01aa967f1590cfe32d

    SHA1

    c5bae947427ad8c00a4e4dd07ecc4d58ca02c13e

    SHA256

    50279a739a5924a484790691c73a0422733fbec67e7c9e25741d53dfbf27f7c8

    SHA512

    4b388e075125687b55774e287d4c54fbc936ab7c5cd32c803479be242307493b70e2449aed5dab52cdb9201dcd06712eeeb50f346bb3d36e7b67d8699d5392c9

    Download Submit
  • C:\ProgramData\Riot Games\Metadata\Riot Client\Riot Client.manifest
    Filesize

    175KB

    MD5

    2ac4a5aaf1097ccd3520ec1bdb122a62

    SHA1

    de3d74f135f8296d4627a8ffc42d4b883c8c0ae5

    SHA256

    e8f4d5106cb838da36155e6e6346ea7ecb0b0973a168cbb15dfeb1d356532d17

    SHA512

    1c18132547096df94a3f8525a4072284e023106598c80aef375cab8cdbfc5b9fa3a8c813cfe499b3d118ae4cd9074c21506886185a777954b8d2d25ee182ff73

    Download Submit
  • C:\ProgramData\Riot Games\Metadata\Riot Client\Riot Client.ok
    Filesize

    97B

    MD5

    7a952a247a6d698c912058739aff13f7

    SHA1

    175cceafaed59382d094fe4584a4b25c831dd970

    SHA256

    859fc7fd5de399e60e6fc7ac35403458eaf19f071358a924df41e0e084943b1f

    SHA512

    44a2da4c1e125c08ecdd9de49022bef128b7233fa1236696ce5918a096767db6d1a6658651c32ef8e7aced696be5469d18907a28fc4cd4b92a340cab01c84ae9

    Download Submit
  • C:\ProgramData\Riot Games\machine.cfg
    Filesize

    39B

    MD5

    6ad195a84bf37ea56d6045fdd88d1132

    SHA1

    24ae8e7d8e7d410a58563530562e7a60135e9ae9

    SHA256

    a80d380d573f3b1e57556f98bd3c2da550ea4c73c67bd282bef439fbcd334943

    SHA512

    09fc04d34a09cfa33d57bd5a9c40616664e35cc88242a21f58c6eff6481effbd70376c10a7d2f1a44fa9cfeb221862d3f6a174471ec6ff29a758351e04cb938d

    Download Submit
  • C:\Riot Games\Riot Client\RiotClientServices.exe
    Filesize

    66.5MB

    MD5

    0db835872607eed12ed33b731ecb6adc

    SHA1

    a2cfff06b95c990916fd2f50c4965adc04239f6c

    SHA256

    8dac39abee4c0c5d21467963f120385a5be91767e14f6a02d34411fe310ef234

    SHA512

    afc7e7fa686f07ba164af496e025e272f8584be0a2f29d50f86d4477f11525082f9121c68551bc4d64e26c2f5ea636d3ee9ca1814a8005e934ea0fc8fc954156

    Download Submit
  • C:\Riot Games\Riot Client\RiotClientServices.exe
    Filesize

    66.5MB

    MD5

    0db835872607eed12ed33b731ecb6adc

    SHA1

    a2cfff06b95c990916fd2f50c4965adc04239f6c

    SHA256

    8dac39abee4c0c5d21467963f120385a5be91767e14f6a02d34411fe310ef234

    SHA512

    afc7e7fa686f07ba164af496e025e272f8584be0a2f29d50f86d4477f11525082f9121c68551bc4d64e26c2f5ea636d3ee9ca1814a8005e934ea0fc8fc954156

    Download Submit
  • C:\Riot Games\Riot Client\RiotClientServices.exe
    Filesize

    66.5MB

    MD5

    0db835872607eed12ed33b731ecb6adc

    SHA1

    a2cfff06b95c990916fd2f50c4965adc04239f6c

    SHA256

    8dac39abee4c0c5d21467963f120385a5be91767e14f6a02d34411fe310ef234

    SHA512

    afc7e7fa686f07ba164af496e025e272f8584be0a2f29d50f86d4477f11525082f9121c68551bc4d64e26c2f5ea636d3ee9ca1814a8005e934ea0fc8fc954156

    Download Submit
  • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
    Filesize

    76B

    MD5

    46cb78bd7445b75b71396eef515f5db6

    SHA1

    9b70740e18e0a81ef15ca86ec3f1a453dd80d71c

    SHA256

    449165f6dc2c9d1131da566f2e5ff292c220fc339708402e5235661d1ac38e9f

    SHA512

    a2a6cd19aa5e038d128427fe425a7083ef23a4bcf6de1a1a663667d424269ab89e5bda3885e0c9af95b392fc33e4ee67d7a854b22d9873a21eebdbe324b02491

    Download Submit
  • C:\Users\Admin\AppData\Roaming\vlc\vlcrc.848
    Filesize

    93KB

    MD5

    478a4a09f4f74e97335cd4d5e9da7ab5

    SHA1

    3c4f1dc52a293f079095d0b0370428ec8e8f9315

    SHA256

    884b59950669842f3c45e6da3480cd9a553538b951fb155b435b48ff38683974

    SHA512

    e96719663cd264132a8e1ea8c3f8a148c778a0c68caa2468ba47629393605b197dd9e00efad91f389de9fcc77b04981a0cf87f785f3c645cdc9e4ebd98060ca1

    Download Submit
  • \Riot Games\Riot Client\RiotClientServices.exe
    Filesize

    66.5MB

    MD5

    0db835872607eed12ed33b731ecb6adc

    SHA1

    a2cfff06b95c990916fd2f50c4965adc04239f6c

    SHA256

    8dac39abee4c0c5d21467963f120385a5be91767e14f6a02d34411fe310ef234

    SHA512

    afc7e7fa686f07ba164af496e025e272f8584be0a2f29d50f86d4477f11525082f9121c68551bc4d64e26c2f5ea636d3ee9ca1814a8005e934ea0fc8fc954156

    Download Submit
  • memory/848-113-0x000007FEF4720000-0x000007FEF4744000-memory.dmp
    Filesize

    144KB

    Download
  • memory/848-122-0x000007FEF44B0000-0x000007FEF44DC000-memory.dmp
    Filesize

    176KB

    Download
  • memory/848-106-0x000007FEF5990000-0x000007FEF59C0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/848-105-0x000007FEF59C0000-0x000007FEF59D8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/848-104-0x000007FEF59E0000-0x000007FEF59F1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-103-0x000007FEF5A00000-0x000007FEF5A1B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/848-102-0x000007FEF5A20000-0x000007FEF5A31000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-101-0x000007FEF5A40000-0x000007FEF5A51000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-100-0x000007FEF5A60000-0x000007FEF5A71000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-99-0x000007FEF5A80000-0x000007FEF5A98000-memory.dmp
    Filesize

    96KB

    Download
  • memory/848-98-0x000007FEF5AA0000-0x000007FEF5AC1000-memory.dmp
    Filesize

    132KB

    Download
  • memory/848-97-0x000007FEF6110000-0x000007FEF614F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/848-96-0x000007FEF5AD0000-0x000007FEF5CD0000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/848-95-0x000007FEF6150000-0x000007FEF6161000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-94-0x000007FEF6170000-0x000007FEF618D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/848-93-0x000007FEF6190000-0x000007FEF61A1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-92-0x000007FEF6400000-0x000007FEF6417000-memory.dmp
    Filesize

    92KB

    Download
  • memory/848-89-0x000007FEF6590000-0x000007FEF65A1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-107-0x000007FEF48E0000-0x000007FEF598B000-memory.dmp
    Filesize

    16.7MB

    Download
  • memory/848-108-0x000007FEF4870000-0x000007FEF48D7000-memory.dmp
    Filesize

    412KB

    Download
  • memory/848-109-0x000007FEF4800000-0x000007FEF486F000-memory.dmp
    Filesize

    444KB

    Download
  • memory/848-120-0x000007FEF4620000-0x000007FEF4632000-memory.dmp
    Filesize

    72KB

    Download
  • memory/848-119-0x000007FEF4640000-0x000007FEF4653000-memory.dmp
    Filesize

    76KB

    Download
  • memory/848-118-0x000007FEF4660000-0x000007FEF4681000-memory.dmp
    Filesize

    132KB

    Download
  • memory/848-117-0x000007FEF4690000-0x000007FEF46A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/848-116-0x000007FEF46B0000-0x000007FEF46C1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-115-0x000007FEF46D0000-0x000007FEF46F3000-memory.dmp
    Filesize

    140KB

    Download
  • memory/848-114-0x000007FEF4700000-0x000007FEF4717000-memory.dmp
    Filesize

    92KB

    Download
  • memory/848-76-0x000007FEF66B0000-0x000007FEF66C8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/848-112-0x000007FEF4750000-0x000007FEF4778000-memory.dmp
    Filesize

    160KB

    Download
  • memory/848-111-0x000007FEF4780000-0x000007FEF47D6000-memory.dmp
    Filesize

    344KB

    Download
  • memory/848-110-0x000007FEF47E0000-0x000007FEF47F1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-121-0x000007FEF44E0000-0x000007FEF461B000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/848-83-0x000007FEF65B0000-0x000007FEF65C7000-memory.dmp
    Filesize

    92KB

    Download
  • memory/848-123-0x000007FEF42F0000-0x000007FEF44A2000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/848-124-0x000007FEF4290000-0x000007FEF42EC000-memory.dmp
    Filesize

    368KB

    Download
  • memory/848-147-0x000007FEF4270000-0x000007FEF4281000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-150-0x000007FEF3F70000-0x000007FEF41A1000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/848-149-0x000007FEF41B0000-0x000007FEF41C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/848-148-0x000007FEF41D0000-0x000007FEF4267000-memory.dmp
    Filesize

    604KB

    Download
  • memory/848-151-0x000007FEF3E50000-0x000007FEF3F62000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/848-152-0x000007FEF3E10000-0x000007FEF3E45000-memory.dmp
    Filesize

    212KB

    Download
  • memory/848-161-0x000007FEF3B20000-0x000007FEF3C22000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/848-160-0x000007FEF3C30000-0x000007FEF3C41000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-159-0x000007FEF3C50000-0x000007FEF3CEF000-memory.dmp
    Filesize

    636KB

    Download
  • memory/848-158-0x000007FEF3CF0000-0x000007FEF3D03000-memory.dmp
    Filesize

    76KB

    Download
  • memory/848-157-0x000007FEF3D10000-0x000007FEF3D22000-memory.dmp
    Filesize

    72KB

    Download
  • memory/848-156-0x000007FEF3D30000-0x000007FEF3D41000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-155-0x000007FEF3D50000-0x000007FEF3DB1000-memory.dmp
    Filesize

    388KB

    Download
  • memory/848-154-0x000007FEF3DC0000-0x000007FEF3DD1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-153-0x000007FEF3DE0000-0x000007FEF3E05000-memory.dmp
    Filesize

    148KB

    Download
  • memory/848-162-0x000007FEF3B00000-0x000007FEF3B11000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-165-0x000007FEF3AE0000-0x000007FEF3AF1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-166-0x000007FEF3AC0000-0x000007FEF3AD1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/848-167-0x000007FEF3AA0000-0x000007FEF3AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/848-180-0x000007FEF3A80000-0x000007FEF3A98000-memory.dmp
    Filesize

    96KB

    Download
  • memory/848-226-0x000007FEF3A60000-0x000007FEF3A76000-memory.dmp
    Filesize

    88KB

    Download
  • memory/848-73-0x000000013F6A0000-0x000000013F798000-memory.dmp
    Filesize

    992KB

    Download
  • memory/848-75-0x000007FEF5E00000-0x000007FEF60B4000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/848-74-0x000007FEF6710000-0x000007FEF6744000-memory.dmp
    Filesize

    208KB

    Download
  • memory/848-242-0x000007FEF3A30000-0x000007FEF3A59000-memory.dmp
    Filesize

    164KB

    Download
  • memory/848-251-0x000000013F6A0000-0x000000013F798000-memory.dmp
    Filesize

    992KB

    Download
  • memory/848-253-0x000007FEF6710000-0x000007FEF6744000-memory.dmp
    Filesize

    208KB

    Download
  • memory/848-255-0x000007FEF5E00000-0x000007FEF60B4000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/1244-282-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/1244-283-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download