Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
Valorant Log Cleaner Cheat Global.exe
Resource
win7-20240903-en
General
-
Target
Valorant Log Cleaner Cheat Global.exe
-
Size
350KB
-
MD5
d92bb3a03399423f10c8ea12c3144cf2
-
SHA1
14c5fa6f8dff8246e468c8ff6c7a0f9afef5552c
-
SHA256
64e8907e1f174c2baabbd277fd97ed643831cc737b732eef1b1458a3797236cd
-
SHA512
e52f46ce506f6d82330938d07bd10bef77497e2a57ba1eabef698d55df02fe2bfa02a9cf483636f427091c2d47f4eb940ea36f4f51de50c4b1765d746596611a
-
SSDEEP
6144:rBlkZvaF4NTBT0WMz/j1S4X6mteAlmioWuY:roSWNTB0WShSYteAl52Y
Malware Config
Signatures
-
pid Process 2296 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Valorant Log Cleaner Cheat Global.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2296 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2296 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1204 wrote to memory of 2696 1204 Valorant Log Cleaner Cheat Global.exe 31 PID 1204 wrote to memory of 2696 1204 Valorant Log Cleaner Cheat Global.exe 31 PID 1204 wrote to memory of 2696 1204 Valorant Log Cleaner Cheat Global.exe 31 PID 1204 wrote to memory of 2696 1204 Valorant Log Cleaner Cheat Global.exe 31 PID 2696 wrote to memory of 2804 2696 cmd.exe 32 PID 2696 wrote to memory of 2804 2696 cmd.exe 32 PID 2696 wrote to memory of 2804 2696 cmd.exe 32 PID 2696 wrote to memory of 2580 2696 cmd.exe 33 PID 2696 wrote to memory of 2580 2696 cmd.exe 33 PID 2696 wrote to memory of 2580 2696 cmd.exe 33 PID 2580 wrote to memory of 2296 2580 cmd.exe 34 PID 2580 wrote to memory of 2296 2580 cmd.exe 34 PID 2580 wrote to memory of 2296 2580 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Valorant Log Cleaner Cheat Global.exe"C:\Users\Admin\AppData\Local\Temp\Valorant Log Cleaner Cheat Global.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\46D0.tmp\46D1.tmp\46D2.bat "C:\Users\Admin\AppData\Local\Temp\Valorant Log Cleaner Cheat Global.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\openfiles.exeopenfiles3⤵PID:2804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm')"3⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm')"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD550c3e5658d9f8e2181699287c271f480
SHA15f386d7f289e0f3eb147c06219d174f1df10115c
SHA256dba654396c101a000dea540819fff90f1fdb9b350a5870e7357df22477ec6a6b
SHA512d919788752f96d9c6c600da1ed7358ee53331e5e203fea9bb72d347e74803bef22047f0c6a817c06ab7f13b883585be01e9dac0b5f512c4931fdba91fe97f94a