734f289e454119f1bb31e9f4963c64e5230b51264229a1832b1707b9753f276c

Analysis

max time kernel
120s
max time network
129s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-02-2025 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bluewing TS/valorant esp.exe
Size

7.5MB
MD5

90dc2034f9b34caa297d22ba110a648b
SHA1

4aa18722f3c715107819252b14882e25faaf89d4
SHA256

a92207cdaeabf1e5837d5c78c581c2af75052f6b6c162d666cd66931879d9f8e
SHA512

556e09218bb190ab1a2158680d44a778236768c5c5e19339f303cda2bb27acb87fa1dbc34190b5cfd4acf27fc66894c79af067e5a10ce9229933829d972ff4c0
SSDEEP

196608:GKIg67q6GENqJ9fWiTcJhtmLY0FL53d0S/lFAezL3D5te2:v1Q9GEN17tmc0p53dTjAe/33

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3012	valorant esp.exe
3012	valorant esp.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3012	valorant esp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2792	3012	valorant esp.exe	31
PID 3012 wrote to memory of 2792	3012	valorant esp.exe	31
PID 3012 wrote to memory of 2792	3012	valorant esp.exe	31
PID 2792 wrote to memory of 2932	2792	cmd.exe	32
PID 2792 wrote to memory of 2932	2792	cmd.exe	32
PID 2792 wrote to memory of 2932	2792	cmd.exe	32
PID 2792 wrote to memory of 2900	2792	cmd.exe	33
PID 2792 wrote to memory of 2900	2792	cmd.exe	33
PID 2792 wrote to memory of 2900	2792	cmd.exe	33
PID 2792 wrote to memory of 2228	2792	cmd.exe	34
PID 2792 wrote to memory of 2228	2792	cmd.exe	34
PID 2792 wrote to memory of 2228	2792	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\bluewing TS\valorant esp.exe
"C:\Users\Admin\AppData\Local\Temp\bluewing TS\valorant esp.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\bluewing TS\valorant esp.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\bluewing TS\valorant esp.exe" MD5
    3⤵
    PID:2932
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2900
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3012-0-0x00000001400F3000-0x0000000140617000-memory.dmp

Filesize
5.1MB

Download
memory/3012-20-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

Filesize
8KB

Download
memory/3012-18-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

Filesize
8KB

Download
memory/3012-16-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

Filesize
8KB

Download
memory/3012-15-0x0000000077DC0000-0x0000000077DC2000-memory.dmp

Filesize
8KB

Download
memory/3012-13-0x0000000077DC0000-0x0000000077DC2000-memory.dmp

Filesize
8KB

Download
memory/3012-11-0x0000000077DC0000-0x0000000077DC2000-memory.dmp

Filesize
8KB

Download
memory/3012-10-0x0000000077DA0000-0x0000000077DA2000-memory.dmp

Filesize
8KB

Download
memory/3012-8-0x0000000077DA0000-0x0000000077DA2000-memory.dmp

Filesize
8KB

Download
memory/3012-6-0x0000000077DA0000-0x0000000077DA2000-memory.dmp

Filesize
8KB

Download
memory/3012-5-0x0000000077D90000-0x0000000077D92000-memory.dmp

Filesize
8KB

Download
memory/3012-3-0x0000000077D90000-0x0000000077D92000-memory.dmp

Filesize
8KB

Download
memory/3012-36-0x000007FEFDAB0000-0x000007FEFDAB2000-memory.dmp

Filesize
8KB

Download
memory/3012-34-0x000007FEFDAB0000-0x000007FEFDAB2000-memory.dmp

Filesize
8KB

Download
memory/3012-31-0x0000000077DF0000-0x0000000077DF2000-memory.dmp

Filesize
8KB

Download
memory/3012-29-0x0000000077DF0000-0x0000000077DF2000-memory.dmp

Filesize
8KB

Download
memory/3012-27-0x0000000077DF0000-0x0000000077DF2000-memory.dmp

Filesize
8KB

Download
memory/3012-26-0x0000000140000000-0x0000000140D9F000-memory.dmp

Filesize
13.6MB

Download
memory/3012-41-0x000007FEFDAC0000-0x000007FEFDAC2000-memory.dmp

Filesize
8KB

Download
memory/3012-39-0x000007FEFDAC0000-0x000007FEFDAC2000-memory.dmp

Filesize
8KB

Download
memory/3012-25-0x0000000077DE0000-0x0000000077DE2000-memory.dmp

Filesize
8KB

Download
memory/3012-23-0x0000000077DE0000-0x0000000077DE2000-memory.dmp

Filesize
8KB

Download
memory/3012-21-0x0000000077DE0000-0x0000000077DE2000-memory.dmp

Filesize
8KB

Download
memory/3012-1-0x0000000077D90000-0x0000000077D92000-memory.dmp

Filesize
8KB

Download
memory/3012-46-0x0000000140000000-0x0000000140D9F000-memory.dmp

Filesize
13.6MB

Download
memory/3012-47-0x0000000140000000-0x0000000140D9F000-memory.dmp

Filesize
13.6MB

Download
memory/3012-49-0x00000001400F3000-0x0000000140617000-memory.dmp

Filesize
5.1MB

Download
memory/3012-50-0x0000000140000000-0x0000000140D9F000-memory.dmp

Filesize
13.6MB

Download