b97266f764abea6bd832262b970de1503408eb7de2e67c0d612651ce6ec96552

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Valorantprv.exe
Size

6.1MB
MD5

893a1bcd05d8697d749247ed88f29644
SHA1

3e44e0856c00ea6d07d5a6f767c13c750df9b50c
SHA256

b97266f764abea6bd832262b970de1503408eb7de2e67c0d612651ce6ec96552
SHA512

78e2451d141be3166efa54596d36e2872e2d28222a6ca67c67fec3494f9593f8a8272e3d9099cd973ef6b01540e0da4e489ad2762d873183f635420e437da544
SSDEEP

196608:duAxxfWaEWPQ90x0fsSRpisVv4GmEU9fP0:dteOQ90efDidGEVP0

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Valorantprv.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Valorantprv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Valorantprv.exe

Loads dropped DLL 1 IoCs

pid	Process
2156	Valorantprv.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Valorantprv.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe
2156	Valorantprv.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2620	2156	Valorantprv.exe	29
PID 2156 wrote to memory of 2620	2156	Valorantprv.exe	29
PID 2156 wrote to memory of 2620	2156	Valorantprv.exe	29
PID 2620 wrote to memory of 2544	2620	cmd.exe	30
PID 2620 wrote to memory of 2544	2620	cmd.exe	30
PID 2620 wrote to memory of 2544	2620	cmd.exe	30
PID 2156 wrote to memory of 2528	2156	Valorantprv.exe	31
PID 2156 wrote to memory of 2528	2156	Valorantprv.exe	31
PID 2156 wrote to memory of 2528	2156	Valorantprv.exe	31
PID 2156 wrote to memory of 2816	2156	Valorantprv.exe	32
PID 2156 wrote to memory of 2816	2156	Valorantprv.exe	32
PID 2156 wrote to memory of 2816	2156	Valorantprv.exe	32
PID 2156 wrote to memory of 2520	2156	Valorantprv.exe	33
PID 2156 wrote to memory of 2520	2156	Valorantprv.exe	33
PID 2156 wrote to memory of 2520	2156	Valorantprv.exe	33
PID 2156 wrote to memory of 2596	2156	Valorantprv.exe	34
PID 2156 wrote to memory of 2596	2156	Valorantprv.exe	34
PID 2156 wrote to memory of 2596	2156	Valorantprv.exe	34
PID 2156 wrote to memory of 2400	2156	Valorantprv.exe	35
PID 2156 wrote to memory of 2400	2156	Valorantprv.exe	35
PID 2156 wrote to memory of 2400	2156	Valorantprv.exe	35
PID 2156 wrote to memory of 2576	2156	Valorantprv.exe	36
PID 2156 wrote to memory of 2576	2156	Valorantprv.exe	36
PID 2156 wrote to memory of 2576	2156	Valorantprv.exe	36
PID 2156 wrote to memory of 2812	2156	Valorantprv.exe	37
PID 2156 wrote to memory of 2812	2156	Valorantprv.exe	37
PID 2156 wrote to memory of 2812	2156	Valorantprv.exe	37
PID 2156 wrote to memory of 2548	2156	Valorantprv.exe	38
PID 2156 wrote to memory of 2548	2156	Valorantprv.exe	38
PID 2156 wrote to memory of 2548	2156	Valorantprv.exe	38
PID 2156 wrote to memory of 2612	2156	Valorantprv.exe	39
PID 2156 wrote to memory of 2612	2156	Valorantprv.exe	39
PID 2156 wrote to memory of 2612	2156	Valorantprv.exe	39
PID 2156 wrote to memory of 2256	2156	Valorantprv.exe	40
PID 2156 wrote to memory of 2256	2156	Valorantprv.exe	40
PID 2156 wrote to memory of 2256	2156	Valorantprv.exe	40

C:\Users\Admin\AppData\Local\Temp\Valorantprv.exe
"C:\Users\Admin\AppData\Local\Temp\Valorantprv.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mountvol X: /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\mountvol.exe
    mountvol X: /S
    3⤵
    PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move X:\EFI\Microsoft\Boot\boot.efi X:\EFI\Microsoft\Boot\bootmgfw.efi
  2⤵
  - Enumerates connected drives
  PID:2528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del X:\EFI\Boot\startup.nsh
  2⤵
  PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del X:\EFI\Boot\bootx64.efi
  2⤵
  PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del X:\mapper.efi
  2⤵
  PID:2812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move X:\EFI\Boot\bootx64.efi.backup X:\EFI\Boot\bootx64.efi
  2⤵
  - Enumerates connected drives
  PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\484ecf9c.dll

Filesize
10KB

MD5
f7003d7b57e8ddff11f488ae449f4bdf

SHA1
4494811b26d5d8547193bac35257f67a762105c7

SHA256
56dbc98c0a7b6e8c26f9b9b99919e348c04b776b75baf8aa1c2190c07af0a249

SHA512
f88001c334114a86e974d2a17d5d36bb0148c937277426aba8675e7a30625169d862d98209c3978bad89276a7c2c8114b14506a6e3f0ec934d88382078b9a3c3

Download Submit
memory/2156-17-0x000000013FE70000-0x0000000140EAD000-memory.dmp

Filesize
16.2MB

Download
memory/2156-27-0x00000000021D0000-0x0000000002258000-memory.dmp

Filesize
544KB

Download
memory/2156-3-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2156-2-0x000007FEFDD10000-0x000007FEFDD7C000-memory.dmp

Filesize
432KB

Download
memory/2156-1-0x000007FEFDD10000-0x000007FEFDD7C000-memory.dmp

Filesize
432KB

Download
memory/2156-6-0x000000013FE70000-0x0000000140EAD000-memory.dmp

Filesize
16.2MB

Download
memory/2156-7-0x000000013FE70000-0x0000000140EAD000-memory.dmp

Filesize
16.2MB

Download
memory/2156-9-0x0000000180000000-0x0000000180022000-memory.dmp

Filesize
136KB

Download
memory/2156-16-0x000000013FE70000-0x0000000140EAD000-memory.dmp

Filesize
16.2MB

Download
memory/2156-33-0x0000000003140000-0x0000000003355000-memory.dmp

Filesize
2.1MB

Download
memory/2156-4-0x0000000077BB0000-0x0000000077D59000-memory.dmp

Filesize
1.7MB

Download
memory/2156-21-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/2156-0-0x000000013FE70000-0x0000000140EAD000-memory.dmp

Filesize
16.2MB

Download
memory/2156-5-0x000007FE80010000-0x000007FE80011000-memory.dmp

Filesize
4KB

Download
memory/2156-42-0x000000013FE70000-0x0000000140EAD000-memory.dmp

Filesize
16.2MB

Download
memory/2156-43-0x000007FEFDD10000-0x000007FEFDD7C000-memory.dmp

Filesize
432KB

Download
memory/2156-45-0x0000000077BB0000-0x0000000077D59000-memory.dmp

Filesize
1.7MB

Download
memory/2156-46-0x0000000003140000-0x0000000003355000-memory.dmp

Filesize
2.1MB

Download
memory/2156-47-0x000000013FE70000-0x0000000140EAD000-memory.dmp

Filesize
16.2MB

Download
memory/2156-48-0x0000000077BB0000-0x0000000077D59000-memory.dmp

Filesize
1.7MB

Download
memory/2156-49-0x000007FEFDD10000-0x000007FEFDD7C000-memory.dmp

Filesize
432KB

Download
memory/2156-50-0x0000000003140000-0x0000000003355000-memory.dmp

Filesize
2.1MB

Download