Analysis

  • max time kernel
    51s
  • max time network
    17s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-06-2024 14:31

General

  • Target

    valorant installer.exe

  • Size

    7.5MB

  • MD5

    469679fe4074c5aeeb4e1412ca7523bd

  • SHA1

    efa18e2d3d31e3f88df471bc9b5c9b7ee76ec658

  • SHA256

    cf29b4fe81d71aa079d0098932f430aa2c880f8c44bd3a136b3d8e37eea56cf8

  • SHA512

    d3a73f399f07e5785ef784f9221527c9cdadc6a125b86ed2bf76b6da8298356d23f1269252aad238aa4617948ccc77fbc6300bb0116a8a48b698861eea21176e

  • SSDEEP

    196608:LHyfZHTqZf0HHAZJO2fPebFOF9Dv/aQkpQlzzB2ASTV0nwxNAnLGx299I5:LWzqZfKg3ZP53DaQm6JkqKAnLGN

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:548
  • C:\Users\Admin\AppData\Local\Temp\valorant installer.exe
    "C:\Users\Admin\AppData\Local\Temp\valorant installer.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1972
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/548-5-0x00000284CED50000-0x00000284CED52000-memory.dmp

    Filesize

    8KB

  • memory/1972-7-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/1972-4-0x00000000004F0000-0x00000000004F9000-memory.dmp

    Filesize

    36KB

  • memory/1972-6-0x00000000004E0000-0x00000000004EB000-memory.dmp

    Filesize

    44KB

  • memory/1972-1-0x00000000004E0000-0x00000000004EB000-memory.dmp

    Filesize

    44KB

  • memory/1972-8-0x0000000000500000-0x0000000000510000-memory.dmp

    Filesize

    64KB

  • memory/1972-0-0x0000000140000000-0x0000000141418000-memory.dmp

    Filesize

    20.1MB

  • memory/1972-9-0x00007FFAA3A88000-0x00007FFAA3A8A000-memory.dmp

    Filesize

    8KB

  • memory/1972-10-0x0000000140000000-0x0000000141418000-memory.dmp

    Filesize

    20.1MB

  • memory/1972-11-0x0000000140000000-0x0000000141418000-memory.dmp

    Filesize

    20.1MB

  • memory/1972-12-0x0000000140000000-0x0000000141418000-memory.dmp

    Filesize

    20.1MB

  • memory/1972-17-0x0000000000500000-0x0000000000506000-memory.dmp

    Filesize

    24KB

  • memory/1972-16-0x0000000140000000-0x0000000141418000-memory.dmp

    Filesize

    20.1MB