e5abc0ab0a44724a339f4e4a9bd9dadf2ccf646039123f5988a6b798516119a8

General

Target

valorantlite (1).exe
Size

9.2MB
MD5

5dede0e5fce17bff5157b16d8ece5687
SHA1

0052453250f03212f3e542b9021e2fbcc7816d45
SHA256

e5abc0ab0a44724a339f4e4a9bd9dadf2ccf646039123f5988a6b798516119a8
SHA512

e458a43f338e60dac66d206c5955bab6cce7578d219bcae22154229d78105f92aa0c8c18fa486108c2b97c45aae19ebdafe93fc69d5e87bdf97bb24c7ca5e258
SSDEEP

196608:X+uMx39cel0isVkjB14nhiF6Bzool63lY/GFuPO9PjDa:XJGioZT/eBzooCpF8WPjG

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	valorantlite (1).exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	valorantlite (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	valorantlite (1).exe

Loads dropped DLL 1 IoCs

pid	Process
328	valorantlite (1).exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	valorantlite (1).exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	valorantlite (1).exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	valorantlite (1).exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe
328	valorantlite (1).exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 4312	328	valorantlite (1).exe	86
PID 328 wrote to memory of 4312	328	valorantlite (1).exe	86
PID 4312 wrote to memory of 3940	4312	cmd.exe	87
PID 4312 wrote to memory of 3940	4312	cmd.exe	87
PID 328 wrote to memory of 4876	328	valorantlite (1).exe	88
PID 328 wrote to memory of 4876	328	valorantlite (1).exe	88
PID 328 wrote to memory of 2524	328	valorantlite (1).exe	89
PID 328 wrote to memory of 2524	328	valorantlite (1).exe	89
PID 328 wrote to memory of 1352	328	valorantlite (1).exe	90
PID 328 wrote to memory of 1352	328	valorantlite (1).exe	90
PID 328 wrote to memory of 1088	328	valorantlite (1).exe	91
PID 328 wrote to memory of 1088	328	valorantlite (1).exe	91
PID 328 wrote to memory of 1976	328	valorantlite (1).exe	92
PID 328 wrote to memory of 1976	328	valorantlite (1).exe	92
PID 328 wrote to memory of 3272	328	valorantlite (1).exe	93
PID 328 wrote to memory of 3272	328	valorantlite (1).exe	93
PID 328 wrote to memory of 3732	328	valorantlite (1).exe	94
PID 328 wrote to memory of 3732	328	valorantlite (1).exe	94
PID 328 wrote to memory of 568	328	valorantlite (1).exe	95
PID 328 wrote to memory of 568	328	valorantlite (1).exe	95
PID 328 wrote to memory of 4856	328	valorantlite (1).exe	96
PID 328 wrote to memory of 4856	328	valorantlite (1).exe	96
PID 328 wrote to memory of 4080	328	valorantlite (1).exe	97
PID 328 wrote to memory of 4080	328	valorantlite (1).exe	97

C:\Users\Admin\AppData\Local\Temp\valorantlite (1).exe
"C:\Users\Admin\AppData\Local\Temp\valorantlite (1).exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mountvol X: /S
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\system32\mountvol.exe
    mountvol X: /S
    3⤵
    PID:3940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move X:\EFI\Microsoft\Boot\boot.efi X:\EFI\Microsoft\Boot\bootmgfw.efi
  2⤵
  - Enumerates connected drives
  PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del X:\EFI\Boot\startup.nsh
  2⤵
  PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del X:\EFI\Boot\bootx64.efi
  2⤵
  PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del X:\mapper.efi
  2⤵
  PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move X:\EFI\Boot\bootx64.efi.backup X:\EFI\Boot\bootx64.efi
  2⤵
  - Enumerates connected drives
  PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5652098d.dll

Filesize
10KB

MD5
f6516cb50f403bf319fac2a3badd1929

SHA1
e5e26cf33182495c35ab453ac0df4e97c9eed5cc

SHA256
c44ced7452fcb8ddb82eb65656926b3197726aa6602a403054d4a65565190cd6

SHA512
235d935d5763aa8c9382615606a8994c2c70d29bfe72b65fe5c2a7283c1ab7e8698824f9dec607838f0978fe611bfca660ca6c776b4517660aad89f620f98ab3

Download Submit
memory/328-6-0x00007FF7A2A40000-0x00007FF7A414F000-memory.dmp

Filesize
23.1MB

Download
memory/328-45-0x0000017CA0E20000-0x0000017CA141E000-memory.dmp

Filesize
6.0MB

Download
memory/328-3-0x00007FFB09280000-0x00007FFB09489000-memory.dmp

Filesize
2.0MB

Download
memory/328-4-0x00007FFB00030000-0x00007FFB00031000-memory.dmp

Filesize
4KB

Download
memory/328-5-0x00007FF7A2A40000-0x00007FF7A414F000-memory.dmp

Filesize
23.1MB

Download
memory/328-0-0x00007FF7A2A40000-0x00007FF7A414F000-memory.dmp

Filesize
23.1MB

Download
memory/328-8-0x0000000180000000-0x0000000180022000-memory.dmp

Filesize
136KB

Download
memory/328-15-0x00007FF7A2A40000-0x00007FF7A414F000-memory.dmp

Filesize
23.1MB

Download
memory/328-16-0x00007FF7A2A40000-0x00007FF7A414F000-memory.dmp

Filesize
23.1MB

Download
memory/328-17-0x00007FF7A2A40000-0x00007FF7A414F000-memory.dmp

Filesize
23.1MB

Download
memory/328-19-0x0000017CA0E20000-0x0000017CA141E000-memory.dmp

Filesize
6.0MB

Download
memory/328-1-0x00007FFB07180000-0x00007FFB0723D000-memory.dmp

Filesize
756KB

Download
memory/328-2-0x00007FFB00000000-0x00007FFB00002000-memory.dmp

Filesize
8KB

Download
memory/328-29-0x0000017CA0E20000-0x0000017CA141E000-memory.dmp

Filesize
6.0MB

Download
memory/328-37-0x0000017CA0E20000-0x0000017CA141E000-memory.dmp

Filesize
6.0MB

Download
memory/328-32-0x0000017CA0E20000-0x0000017CA141E000-memory.dmp

Filesize
6.0MB

Download
memory/328-33-0x0000017CA0E20000-0x0000017CA141E000-memory.dmp

Filesize
6.0MB

Download
memory/328-35-0x0000017CA0E20000-0x0000017CA141E000-memory.dmp

Filesize
6.0MB

Download
memory/328-31-0x0000017CA0650000-0x0000017CA0651000-memory.dmp

Filesize
4KB

Download
memory/328-39-0x0000017CA0E20000-0x0000017CA141E000-memory.dmp

Filesize
6.0MB

Download
memory/328-41-0x0000017CA0E20000-0x0000017CA141E000-memory.dmp

Filesize
6.0MB

Download
memory/328-43-0x0000017CA0E20000-0x0000017CA141E000-memory.dmp

Filesize
6.0MB

Download
memory/328-30-0x0000017CA0640000-0x0000017CA0641000-memory.dmp

Filesize
4KB

Download
memory/328-46-0x0000017CA0E20000-0x0000017CA141E000-memory.dmp

Filesize
6.0MB

Download
memory/328-47-0x00007FF7A2A40000-0x00007FF7A414F000-memory.dmp

Filesize
23.1MB

Download
memory/328-48-0x00007FF7A2A40000-0x00007FF7A414F000-memory.dmp

Filesize
23.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads