Analysis
-
max time kernel
1563s -
max time network
1564s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09-06-2024 14:29
Behavioral task
behavioral1
Sample
valorant installer.exe
Resource
win7-20240508-en
10 signatures
1800 seconds
General
-
Target
valorant installer.exe
-
Size
7.5MB
-
MD5
469679fe4074c5aeeb4e1412ca7523bd
-
SHA1
efa18e2d3d31e3f88df471bc9b5c9b7ee76ec658
-
SHA256
cf29b4fe81d71aa079d0098932f430aa2c880f8c44bd3a136b3d8e37eea56cf8
-
SHA512
d3a73f399f07e5785ef784f9221527c9cdadc6a125b86ed2bf76b6da8298356d23f1269252aad238aa4617948ccc77fbc6300bb0116a8a48b698861eea21176e
-
SSDEEP
196608:LHyfZHTqZf0HHAZJO2fPebFOF9Dv/aQkpQlzzB2ASTV0nwxNAnLGx299I5:LWzqZfKg3ZP53DaQm6JkqKAnLGN
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
valorant installer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ valorant installer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
valorant installer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion valorant installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion valorant installer.exe -
Processes:
resource yara_rule behavioral1/memory/2976-8-0x0000000140000000-0x0000000141418000-memory.dmp themida behavioral1/memory/2976-14-0x0000000140000000-0x0000000141418000-memory.dmp themida behavioral1/memory/2976-15-0x0000000140000000-0x0000000141418000-memory.dmp themida behavioral1/memory/2976-16-0x0000000140000000-0x0000000141418000-memory.dmp themida behavioral1/memory/2976-19-0x0000000140000000-0x0000000141418000-memory.dmp themida -
Processes:
valorant installer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA valorant installer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
valorant installer.exepid process 2976 valorant installer.exe -
Enumerates system info in registry 2 TTPs 32 IoCs
Processes:
csrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" winlogon.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" winlogon.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
valorant installer.exepid process 2976 valorant installer.exe 2976 valorant installer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
valorant installer.exeLogonUI.exedescription pid process Token: SeDebugPrivilege 2976 valorant installer.exe Token: SeShutdownPrivilege 2624 LogonUI.exe Token: SeShutdownPrivilege 2624 LogonUI.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
valorant installer.execsrss.exewinlogon.exedescription pid process target process PID 2976 wrote to memory of 428 2976 valorant installer.exe winlogon.exe PID 2712 wrote to memory of 2624 2712 csrss.exe LogonUI.exe PID 2712 wrote to memory of 2624 2712 csrss.exe LogonUI.exe PID 2832 wrote to memory of 2624 2832 winlogon.exe LogonUI.exe PID 2832 wrote to memory of 2624 2832 winlogon.exe LogonUI.exe PID 2832 wrote to memory of 2624 2832 winlogon.exe LogonUI.exe PID 2712 wrote to memory of 2624 2712 csrss.exe LogonUI.exe PID 2712 wrote to memory of 2624 2712 csrss.exe LogonUI.exe PID 2712 wrote to memory of 2624 2712 csrss.exe LogonUI.exe PID 2712 wrote to memory of 2624 2712 csrss.exe LogonUI.exe PID 2712 wrote to memory of 2624 2712 csrss.exe LogonUI.exe PID 2712 wrote to memory of 2624 2712 csrss.exe LogonUI.exe PID 2712 wrote to memory of 2624 2712 csrss.exe LogonUI.exe PID 2712 wrote to memory of 2624 2712 csrss.exe LogonUI.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\valorant installer.exe"C:\Users\Admin\AppData\Local\Temp\valorant installer.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:2688
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2712
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624