Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 20:53
Static task
static1
Behavioral task
behavioral1
Sample
Riot Vanguard/installer.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
Riot Vanguard/log-uploader.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
Riot Vanguard/vgc.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
Riot Vanguard/vgk.sys
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
Riot Vanguard/vgrl.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
Riot Vanguard/vgtray.exe
Resource
win10v2004-20240508-en
General
-
Target
Riot Vanguard/installer.exe
-
Size
2.8MB
-
MD5
8b963e14b46af2aa941af845ea117718
-
SHA1
c235d530e9a437acdb642800649f7e5e6a14f272
-
SHA256
d75e71bd7e984bc63dbd5adfd0d0275968cbf0086b765defa346d9be9ce6c465
-
SHA512
372296b3bd966d4ef2478cd555ea907d03287c62eec9452b46596ba4969099238b2615a3a5832618f2a94cea26974c9b02e52a94520b84e606d7f06afa62a705
-
SSDEEP
49152:LGtlqrrIU6isw71UcHwbq+wh9O0DdvW4LgkDHRcIucVsqTaJON2pgk/ZrcOh5PiU:6+stcHuzqOyLPRcfpJZNRJnAc
Malware Config
Signatures
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\desktop.ini vgc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\desktop.ini vgc.exe File created C:\Program Files\Riot Vanguard\Logs\vgc_5024_2024-05-15_20-55-12.log vgc.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4000 timeout.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2120 installer.exe 2120 installer.exe 2120 installer.exe 2120 installer.exe 2120 installer.exe 2120 installer.exe 5024 vgc.exe 5024 vgc.exe 5024 vgc.exe 5024 vgc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 5024 wrote to memory of 4292 5024 vgc.exe 97 PID 5024 wrote to memory of 4292 5024 vgc.exe 97 PID 4292 wrote to memory of 4000 4292 cmd.exe 99 PID 4292 wrote to memory of 4000 4292 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\Riot Vanguard\installer.exe"C:\Users\Admin\AppData\Local\Temp\Riot Vanguard\installer.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\Riot Vanguard\vgc.exe"C:\Users\Admin\AppData\Local\Temp\Riot Vanguard\vgc.exe" --uninstall2⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d /c ""C:\Windows\system32\timeout.exe" /NOBREAK /T 5 && rmdir /S /Q "C:\Program Files\Riot Vanguard""3⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\timeout.exe"C:\Windows\system32\timeout.exe" /NOBREAK /T 54⤵
- Delays execution with timeout.exe
PID:4000
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56998e46d069c02dbb02e50340b7140aa
SHA1ef61f15e553ae3e87ee453d56cb6a29d6a3393be
SHA256fdf323eb3f33d8903d9cb58439012f6147a6ee22222eedacb752589f1b9eb3b0
SHA51271fe08c091f7b1ea7c923a50501d1b012453e858f6a1b7db815c05adb73ad300ae02ea593c7e8cf06b567ea6e06e872cf76b71bbf5f9482d3a123bfd90e6f459
-
Filesize
174B
MD56383522c180badc4e1d5c30a5c4f4913
SHA162a30e96459b694f7b22d730c460a65cd2ebaaca
SHA2564705ba6793dc93c1bbe2a9e790e9e22778d217531b1750471206fd5c52bbd2b5
SHA5127cf603201e13fb85873c9aa07388429cbd1ea1fbf5ee9fc785d1ca4da0cf565db70e705636bf62f600fc6c5e16fd9395a8f92cd7d60882d015dbfb087fb33f54