e5859eb1dfa66e5d40908e0fc6901d7c2f5bd84fb6df5a3b432e34576e04cebd

Resubmissions

12/09/2024, 20:56

240912-zq94aathjk 3

03/07/2024, 09:13

240703-k6rjjszdqn 10

Analysis

max time kernel
38s
max time network
52s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
12/09/2024, 20:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Install VALORANT.exe
Size

68.3MB
MD5

7da818565aa08d22e5950cbe28d5c215
SHA1

82e382af13d7f3f8c5bea56faeeea0566883931c
SHA256

e5859eb1dfa66e5d40908e0fc6901d7c2f5bd84fb6df5a3b432e34576e04cebd
SHA512

afa921057b4953b4fbb88c17d7b2c3cb80c59d4bca9e776d590e2693a5af3d6861592d302f9f349e6bc03f3555e77b6f033d17c33143c8dce104f6a8fc80904a
SSDEEP

1572864:sgs99CzSp8d0UNl/Ywrt9E7lzPFUKBBJDIVIbjSp1xe:/6p8dnAthBBJDIVRj

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install VALORANT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install VALORANT.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3364	Install VALORANT.exe
3364	Install VALORANT.exe
3364	Install VALORANT.exe
3364	Install VALORANT.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3364	Install VALORANT.exe
Token: SeIncBasePriorityPrivilege	4336	Install VALORANT.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 4336	3364	Install VALORANT.exe	70
PID 3364 wrote to memory of 4336	3364	Install VALORANT.exe	70
PID 3364 wrote to memory of 4336	3364	Install VALORANT.exe	70

C:\Users\Admin\AppData\Local\Temp\Install VALORANT.exe
"C:\Users\Admin\AppData\Local\Temp\Install VALORANT.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Local\Temp\Install VALORANT.exe
  "C:\Users\Admin\AppData\Local\Temp\Install VALORANT.exe" --agent --riotclient-app-port=49794 --riotclient-auth-token=YcpudPMfO9eKhtwtnEDVtA --app-root=C:/Users/Admin/AppData/Local/Temp "--data-root=C:/ProgramData/Riot Games/Metadata" "--update-root=C:/ProgramData/Riot Games/Metadata/Install VALORANT/Update" "--log-root=C:/Users/Admin/AppData/Local/Riot Games/Install VALORANT/Logs" "--user-data-root=C:/Users/Admin/AppData/Local/Riot Games/Install VALORANT" --session-id=cdc30c2a-8279-af46-8d90-d4313f752069
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Riot Games\machine.cfg

Filesize
39B

MD5
54dfeea2fe1c441cec6132054034ea13

SHA1
3bd9d56bf07ed5a48d60a48f34f859e871f2aa8c

SHA256
eaf7dcbfe028bceb8cd16a652732792b71729e8be023d6ed4d047ba6555ae690

SHA512
30595ef9e563a7a19211e7335acd2375365b286f648591d59857c33e2b5a68a1aa0d17b1d20ca0585ce2cbe1d029a6faca0a2069989722f59e5bdb2d6f8ad78f

Download Submit