Overview
overview
8Static
static
1Valorant O...ch.zip
windows7-x64
1Valorant O...ch.zip
windows10-2004-x64
1Valorant O...T).lnk
windows7-x64
1Valorant O...T).lnk
windows10-2004-x64
1Valorant O...e).cmd
windows7-x64
1Valorant O...e).cmd
windows10-2004-x64
1Valorant O...es.cmd
windows7-x64
7Valorant O...es.cmd
windows10-2004-x64
7Valorant O...es.cmd
windows7-x64
7Valorant O...es.cmd
windows10-2004-x64
1Valorant O...he.bat
windows7-x64
8Valorant O...he.bat
windows10-2004-x64
8Valorant O...he.cmd
windows7-x64
1Valorant O...he.cmd
windows10-2004-x64
1Valorant O...Up.lnk
windows7-x64
7Valorant O...Up.lnk
windows10-2004-x64
7Analysis
-
max time kernel
132s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/02/2024, 09:33
Static task
static1
Behavioral task
behavioral1
Sample
Valorant Optimization Pack - OGTech.zip
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
Valorant Optimization Pack - OGTech.zip
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Valorant Optimization Pack - OGTech/1. Optmize Desktop & Laptop/Create A Restore Point (IMPORTANT).lnk
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral4
Sample
Valorant Optimization Pack - OGTech/1. Optmize Desktop & Laptop/Create A Restore Point (IMPORTANT).lnk
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Valorant Optimization Pack - OGTech/4. Clean-Ups/Clear DNS Cache (Ping Improve).cmd
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
Valorant Optimization Pack - OGTech/4. Clean-Ups/Clear DNS Cache (Ping Improve).cmd
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Valorant Optimization Pack - OGTech/4. Clean-Ups/Delete Log Files.cmd
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral8
Sample
Valorant Optimization Pack - OGTech/4. Clean-Ups/Delete Log Files.cmd
Resource
win10v2004-20240220-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Valorant Optimization Pack - OGTech/4. Clean-Ups/Delete Temporary Files.cmd
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral10
Sample
Valorant Optimization Pack - OGTech/4. Clean-Ups/Delete Temporary Files.cmd
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Valorant Optimization Pack - OGTech/4. Clean-Ups/Delete Thumbnail Cache.bat
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral12
Sample
Valorant Optimization Pack - OGTech/4. Clean-Ups/Delete Thumbnail Cache.bat
Resource
win10v2004-20240220-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Valorant Optimization Pack - OGTech/4. Clean-Ups/Delete Windows Update Cache.cmd
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral14
Sample
Valorant Optimization Pack - OGTech/4. Clean-Ups/Delete Windows Update Cache.cmd
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Valorant Optimization Pack - OGTech/4. Clean-Ups/Disk Clean-Up.lnk
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral16
Sample
Valorant Optimization Pack - OGTech/4. Clean-Ups/Disk Clean-Up.lnk
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
Valorant Optimization Pack - OGTech/4. Clean-Ups/Delete Thumbnail Cache.bat
-
Size
232B
-
MD5
5887f03adc7ffe40769d0246d457531d
-
SHA1
6681f82771048fb0ae405c02c7d8a06f08d77a4c
-
SHA256
4bf7497786206040924db5f8c2ee75b9466676a115c169657f620c287a92ae20
-
SHA512
2cfc53921eca548df790dc98f8622c9a322139f280a39c58e503b42b6000864f329632af42155af495363eefd75a67961a2e97f6336925767f4a6cf5e98341c0
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2712 timeout.exe 2676 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 2528 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2528 taskkill.exe Token: SeShutdownPrivilege 2856 explorer.exe Token: SeShutdownPrivilege 2856 explorer.exe Token: SeShutdownPrivilege 2856 explorer.exe Token: SeShutdownPrivilege 2856 explorer.exe Token: SeShutdownPrivilege 2856 explorer.exe Token: SeShutdownPrivilege 2856 explorer.exe Token: SeShutdownPrivilege 2856 explorer.exe Token: SeShutdownPrivilege 2856 explorer.exe Token: SeShutdownPrivilege 2856 explorer.exe Token: SeShutdownPrivilege 2856 explorer.exe Token: SeShutdownPrivilege 2856 explorer.exe Token: SeShutdownPrivilege 2856 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe 2856 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2528 2052 cmd.exe 29 PID 2052 wrote to memory of 2528 2052 cmd.exe 29 PID 2052 wrote to memory of 2528 2052 cmd.exe 29 PID 2052 wrote to memory of 2712 2052 cmd.exe 31 PID 2052 wrote to memory of 2712 2052 cmd.exe 31 PID 2052 wrote to memory of 2712 2052 cmd.exe 31 PID 2052 wrote to memory of 2676 2052 cmd.exe 32 PID 2052 wrote to memory of 2676 2052 cmd.exe 32 PID 2052 wrote to memory of 2676 2052 cmd.exe 32 PID 2052 wrote to memory of 2856 2052 cmd.exe 33 PID 2052 wrote to memory of 2856 2052 cmd.exe 33 PID 2052 wrote to memory of 2856 2052 cmd.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Valorant Optimization Pack - OGTech\4. Clean-Ups\Delete Thumbnail Cache.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\system32\timeout.exetimeout 2 /nobreak2⤵
- Delays execution with timeout.exe
PID:2712
-
-
C:\Windows\system32\timeout.exetimeout 2 /nobreak2⤵
- Delays execution with timeout.exe
PID:2676
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2856
-