Analysis
-
max time kernel
51s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
09-06-2024 14:31
General
-
Target
valorant installer.exe
-
Size
7.5MB
-
MD5
469679fe4074c5aeeb4e1412ca7523bd
-
SHA1
efa18e2d3d31e3f88df471bc9b5c9b7ee76ec658
-
SHA256
cf29b4fe81d71aa079d0098932f430aa2c880f8c44bd3a136b3d8e37eea56cf8
-
SHA512
d3a73f399f07e5785ef784f9221527c9cdadc6a125b86ed2bf76b6da8298356d23f1269252aad238aa4617948ccc77fbc6300bb0116a8a48b698861eea21176e
-
SSDEEP
196608:LHyfZHTqZf0HHAZJO2fPebFOF9Dv/aQkpQlzzB2ASTV0nwxNAnLGx299I5:LWzqZfKg3ZP53DaQm6JkqKAnLGN
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
valorant installer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ valorant installer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
valorant installer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion valorant installer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion valorant installer.exe -
Processes:
resource yara_rule behavioral1/memory/1972-0-0x0000000140000000-0x0000000141418000-memory.dmp themida behavioral1/memory/1972-10-0x0000000140000000-0x0000000141418000-memory.dmp themida behavioral1/memory/1972-11-0x0000000140000000-0x0000000141418000-memory.dmp themida behavioral1/memory/1972-12-0x0000000140000000-0x0000000141418000-memory.dmp themida behavioral1/memory/1972-16-0x0000000140000000-0x0000000141418000-memory.dmp themida -
Processes:
valorant installer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA valorant installer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
winlogon.exepid process 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
valorant installer.exewinlogon.exepid process 1972 valorant installer.exe 1972 valorant installer.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe 548 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
valorant installer.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 1972 valorant installer.exe Token: SeDebugPrivilege 4260 taskmgr.exe Token: SeSystemProfilePrivilege 4260 taskmgr.exe Token: SeCreateGlobalPrivilege 4260 taskmgr.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
taskmgr.exepid process 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
taskmgr.exepid process 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe 4260 taskmgr.exe -
Suspicious use of WriteProcessMemory 1 IoCs
Processes:
valorant installer.exedescription pid process target process PID 1972 wrote to memory of 548 1972 valorant installer.exe winlogon.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:548
-
C:\Users\Admin\AppData\Local\Temp\valorant installer.exe"C:\Users\Admin\AppData\Local\Temp\valorant installer.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4260