dfd8631d100532fe58139b8bb90dd85dc42a2c563f7ec57289b440d011cacfa5

Analysis

max time kernel
30s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2023, 04:29

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ValorantAimbot.exe
Size

130KB
MD5

c2b8f73cd3499ba4924660e056ea057a
SHA1

42b7738039283379b3950dd6709f9a22f220b93f
SHA256

dfd8631d100532fe58139b8bb90dd85dc42a2c563f7ec57289b440d011cacfa5
SHA512

fbe55e1e3a28e165efa933dae837da832452937ee5a993d5b628f898c57b2c5dbe5d9ed3da28898bc5e036dcbe0c12713d5947aeaaac8597449f33b8234c9840
SSDEEP

3072:i7DhdC6kzWypvaQ0FxyNTBflrZjuwh67h4mM05/:iBlkZvaF4NTBdrhF65vB

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "154"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1540	shutdown.exe
Token: SeRemoteShutdownPrivilege	1540	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4956	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 1164	728	ValorantAimbot.exe	85
PID 728 wrote to memory of 1164	728	ValorantAimbot.exe	85
PID 1164 wrote to memory of 1540	1164	cmd.exe	87
PID 1164 wrote to memory of 1540	1164	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\ValorantAimbot.exe
"C:\Users\Admin\AppData\Local\Temp\ValorantAimbot.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6A28.tmp\6A29.tmp\6A2A.bat C:\Users\Admin\AppData\Local\Temp\ValorantAimbot.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\system32\shutdown.exe
    shutdown -s -f -t 15 -c "HAHAHAHAHA HACKEADO BY N1TR0zzzz, todas suas senhas foram enviada a database"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1540

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f4055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6A28.tmp\6A29.tmp\6A2A.bat

Filesize
41KB

MD5
46848869f9bfcbd5383fb50632aed40c

SHA1
bb7f10e88900dadc9e074085a388f43a4f6c4635

SHA256
346f2a01ac715c941b2b938ab817786d7a17224a914007584fef91e678300b0b

SHA512
7363208958a8e23e21c1fc24e9e0428b9ce30df69c06ddc570dde3b4f35b3f891d7df31496535f2da75194b4024b87b0f5c0517e0e0ce1a0208f171a26390775

Download Submit