Analysis
-
max time kernel
1794s -
max time network
1799s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-06-2024 14:29
Behavioral task
behavioral1
Sample
valorant installer.exe
Resource
win7-20240508-en
10 signatures
1800 seconds
General
-
Target
valorant installer.exe
-
Size
7.5MB
-
MD5
469679fe4074c5aeeb4e1412ca7523bd
-
SHA1
efa18e2d3d31e3f88df471bc9b5c9b7ee76ec658
-
SHA256
cf29b4fe81d71aa079d0098932f430aa2c880f8c44bd3a136b3d8e37eea56cf8
-
SHA512
d3a73f399f07e5785ef784f9221527c9cdadc6a125b86ed2bf76b6da8298356d23f1269252aad238aa4617948ccc77fbc6300bb0116a8a48b698861eea21176e
-
SSDEEP
196608:LHyfZHTqZf0HHAZJO2fPebFOF9Dv/aQkpQlzzB2ASTV0nwxNAnLGx299I5:LWzqZfKg3ZP53DaQm6JkqKAnLGN
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
valorant installer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ valorant installer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
valorant installer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion valorant installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion valorant installer.exe -
Processes:
resource yara_rule behavioral2/memory/432-0-0x0000000140000000-0x0000000141418000-memory.dmp themida behavioral2/memory/432-12-0x0000000140000000-0x0000000141418000-memory.dmp themida behavioral2/memory/432-13-0x0000000140000000-0x0000000141418000-memory.dmp themida behavioral2/memory/432-14-0x0000000140000000-0x0000000141418000-memory.dmp themida behavioral2/memory/432-18-0x0000000140000000-0x0000000141418000-memory.dmp themida -
Processes:
valorant installer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA valorant installer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
winlogon.exepid process 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
valorant installer.exewinlogon.exepid process 432 valorant installer.exe 432 valorant installer.exe 432 valorant installer.exe 432 valorant installer.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe 620 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
valorant installer.exedescription pid process Token: SeDebugPrivilege 432 valorant installer.exe -
Suspicious use of WriteProcessMemory 1 IoCs
Processes:
valorant installer.exedescription pid process target process PID 432 wrote to memory of 620 432 valorant installer.exe winlogon.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:620
-
C:\Users\Admin\AppData\Local\Temp\valorant installer.exe"C:\Users\Admin\AppData\Local\Temp\valorant installer.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:81⤵PID:1748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4776,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=1392 /prefetch:81⤵PID:4468