Analysis Overview
SHA256
cf29b4fe81d71aa079d0098932f430aa2c880f8c44bd3a136b3d8e37eea56cf8
Threat Level: Likely malicious
The file valorant installer.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Themida packer
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-09 14:31
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 14:31
Reported
2024-06-09 14:32
Platform
win10-20240404-en
Max time kernel
51s
Max time network
17s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\valorant installer.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\valorant installer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\valorant installer.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\valorant installer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\valorant installer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1972 wrote to memory of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\valorant installer.exe | C:\Windows\system32\winlogon.exe |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Users\Admin\AppData\Local\Temp\valorant installer.exe
"C:\Users\Admin\AppData\Local\Temp\valorant installer.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| DE | 141.147.4.137:8873 | tcp | |
| US | 8.8.8.8:53 | 137.4.147.141.in-addr.arpa | udp |
Files
memory/1972-0-0x0000000140000000-0x0000000141418000-memory.dmp
memory/1972-1-0x00000000004E0000-0x00000000004EB000-memory.dmp
memory/1972-4-0x00000000004F0000-0x00000000004F9000-memory.dmp
memory/1972-6-0x00000000004E0000-0x00000000004EB000-memory.dmp
memory/548-5-0x00000284CED50000-0x00000284CED52000-memory.dmp
memory/1972-8-0x0000000000500000-0x0000000000510000-memory.dmp
memory/1972-7-0x0000000000500000-0x0000000000510000-memory.dmp
memory/1972-9-0x00007FFAA3A88000-0x00007FFAA3A8A000-memory.dmp
memory/1972-10-0x0000000140000000-0x0000000141418000-memory.dmp
memory/1972-11-0x0000000140000000-0x0000000141418000-memory.dmp
memory/1972-12-0x0000000140000000-0x0000000141418000-memory.dmp
memory/1972-17-0x0000000000500000-0x0000000000506000-memory.dmp
memory/1972-16-0x0000000140000000-0x0000000141418000-memory.dmp