a42a8ff1902cf63d0a087335b3a04dfc349471fca551b948a834e8049efa95af

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Riot Vanguard/installer.exe
Size

2.8MB
MD5

8b963e14b46af2aa941af845ea117718
SHA1

c235d530e9a437acdb642800649f7e5e6a14f272
SHA256

d75e71bd7e984bc63dbd5adfd0d0275968cbf0086b765defa346d9be9ce6c465
SHA512

372296b3bd966d4ef2478cd555ea907d03287c62eec9452b46596ba4969099238b2615a3a5832618f2a94cea26974c9b02e52a94520b84e606d7f06afa62a705
SSDEEP

49152:LGtlqrrIU6isw71UcHwbq+wh9O0DdvW4LgkDHRcIucVsqTaJON2pgk/ZrcOh5PiU:6+stcHuzqOyLPRcfpJZNRJnAc

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	vgc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	vgc.exe
File created	C:\Program Files\Riot Vanguard\Logs\vgc_5024_2024-05-15_20-55-12.log	vgc.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4000	timeout.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2120	installer.exe
2120	installer.exe
2120	installer.exe
2120	installer.exe
2120	installer.exe
2120	installer.exe
5024	vgc.exe
5024	vgc.exe
5024	vgc.exe
5024	vgc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 4292	5024	vgc.exe	97
PID 5024 wrote to memory of 4292	5024	vgc.exe	97
PID 4292 wrote to memory of 4000	4292	cmd.exe	99
PID 4292 wrote to memory of 4000	4292	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\Riot Vanguard\installer.exe
"C:\Users\Admin\AppData\Local\Temp\Riot Vanguard\installer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2120
- C:\Users\Admin\AppData\Local\Temp\Riot Vanguard\vgc.exe
  "C:\Users\Admin\AppData\Local\Temp\Riot Vanguard\vgc.exe" --uninstall
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /d /c ""C:\Windows\system32\timeout.exe" /NOBREAK /T 5 && rmdir /S /Q "C:\Program Files\Riot Vanguard""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\system32\timeout.exe
      "C:\Windows\system32\timeout.exe" /NOBREAK /T 5
      4⤵
      Delays execution with timeout.exe
      PID:4000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Riot Vanguard\Logs\VGC_50~1.LOG

Filesize
1KB

MD5
6998e46d069c02dbb02e50340b7140aa

SHA1
ef61f15e553ae3e87ee453d56cb6a29d6a3393be

SHA256
fdf323eb3f33d8903d9cb58439012f6147a6ee22222eedacb752589f1b9eb3b0

SHA512
71fe08c091f7b1ea7c923a50501d1b012453e858f6a1b7db815c05adb73ad300ae02ea593c7e8cf06b567ea6e06e872cf76b71bbf5f9482d3a123bfd90e6f459

Download Submit
C:\Program Files\desktop.ini

Filesize
174B

MD5
6383522c180badc4e1d5c30a5c4f4913

SHA1
62a30e96459b694f7b22d730c460a65cd2ebaaca

SHA256
4705ba6793dc93c1bbe2a9e790e9e22778d217531b1750471206fd5c52bbd2b5

SHA512
7cf603201e13fb85873c9aa07388429cbd1ea1fbf5ee9fc785d1ca4da0cf565db70e705636bf62f600fc6c5e16fd9395a8f92cd7d60882d015dbfb087fb33f54

Download Submit
memory/2120-0-0x00007FFC73D30000-0x00007FFC741D9000-memory.dmp

Filesize
4.7MB

Download
memory/2120-4-0x00007FFC91B10000-0x00007FFC91D05000-memory.dmp

Filesize
2.0MB

Download
memory/2120-3-0x00007FFC91BAD000-0x00007FFC91BAE000-memory.dmp

Filesize
4KB

Download
memory/2120-5-0x00007FFC91B10000-0x00007FFC91D05000-memory.dmp

Filesize
2.0MB

Download
memory/2120-6-0x00007FFC91B10000-0x00007FFC91D05000-memory.dmp

Filesize
2.0MB

Download
memory/2120-39-0x00007FFC91B10000-0x00007FFC91D05000-memory.dmp

Filesize
2.0MB

Download
memory/5024-9-0x00007FFC91B10000-0x00007FFC91D05000-memory.dmp

Filesize
2.0MB

Download
memory/5024-7-0x00007FF63D720000-0x00007FF63EA6E000-memory.dmp

Filesize
19.3MB

Download
memory/5024-38-0x00007FFC91B10000-0x00007FFC91D05000-memory.dmp

Filesize
2.0MB

Download