Overview
overview
10Static
static
Fortnite H...PC.dll
windows7-x64
1Fortnite H...PC.dll
windows10-2004-x64
1Fortnite H...ip.dll
windows7-x64
1Fortnite H...ip.dll
windows10-2004-x64
1Fortnite H...ft.dll
windows7-x64
1Fortnite H...ft.dll
windows10-2004-x64
1Fortnite H...er.exe
windows7-x64
3Fortnite H...er.exe
windows10-2004-x64
3Fortnite H...te.exe
windows7-x64
10Fortnite H...te.exe
windows10-2004-x64
8Fortnite H...er.dll
windows7-x64
1Fortnite H...er.dll
windows10-2004-x64
1Fortnite H...64.dll
windows7-x64
3Fortnite H...64.dll
windows10-2004-x64
3Fortnite H...PC.dll
windows7-x64
1Fortnite H...PC.dll
windows10-2004-x64
1Fortnite H...ip.dll
windows7-x64
1Fortnite H...ip.dll
windows10-2004-x64
1Fortnite H...or.exe
windows7-x64
3Fortnite H...or.exe
windows10-2004-x64
3Fortnite H...on.dll
windows7-x64
1Fortnite H...on.dll
windows10-2004-x64
1Fortnite H...rp.dll
windows7-x64
1Fortnite H...rp.dll
windows10-2004-x64
1Fortnite H...or.exe
windows7-x64
10Fortnite H...or.exe
windows10-2004-x64
8Fortnite H...ys.dll
windows7-x64
1Fortnite H...ys.dll
windows10-2004-x64
1Fortnite H...64.dll
windows7-x64
3Fortnite H...64.dll
windows10-2004-x64
5Analysis
-
max time kernel
326s -
max time network
312s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2022 16:35
Static task
static1
Behavioral task
behavioral1
Sample
Fortnite Hack v1.17/AutoUpdate v2/DiscordRPC.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
Fortnite Hack v1.17/AutoUpdate v2/DiscordRPC.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral3
Sample
Fortnite Hack v1.17/AutoUpdate v2/DotNetZip.dll
Resource
win7-20220715-en
Behavioral task
behavioral4
Sample
Fortnite Hack v1.17/AutoUpdate v2/DotNetZip.dll
Resource
win10v2004-20220722-en
Behavioral task
behavioral5
Sample
Fortnite Hack v1.17/AutoUpdate v2/Newtonsoft.dll
Resource
win7-20220718-en
Behavioral task
behavioral6
Sample
Fortnite Hack v1.17/AutoUpdate v2/Newtonsoft.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral7
Sample
Fortnite Hack v1.17/AutoUpdate v2/for updater.exe
Resource
win7-20220715-en
Behavioral task
behavioral8
Sample
Fortnite Hack v1.17/AutoUpdate v2/for updater.exe
Resource
win10v2004-20220721-en
Behavioral task
behavioral9
Sample
Fortnite Hack v1.17/AutoUpdate v2/update.exe
Resource
win7-20220718-en
Behavioral task
behavioral10
Sample
Fortnite Hack v1.17/AutoUpdate v2/update.exe
Resource
win10v2004-20220722-en
Behavioral task
behavioral11
Sample
Fortnite Hack v1.17/AutoUpdate v2/updater.dll
Resource
win7-20220715-en
Behavioral task
behavioral12
Sample
Fortnite Hack v1.17/AutoUpdate v2/updater.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral13
Sample
Fortnite Hack v1.17/AutoUpdate v2/win64.dll
Resource
win7-20220718-en
Behavioral task
behavioral14
Sample
Fortnite Hack v1.17/AutoUpdate v2/win64.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral15
Sample
Fortnite Hack v1.17/DiscordRPC.dll
Resource
win7-20220718-en
Behavioral task
behavioral16
Sample
Fortnite Hack v1.17/DiscordRPC.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral17
Sample
Fortnite Hack v1.17/DotNetZip.dll
Resource
win7-20220715-en
Behavioral task
behavioral18
Sample
Fortnite Hack v1.17/DotNetZip.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral19
Sample
Fortnite Hack v1.17/For injector.exe
Resource
win7-20220718-en
Behavioral task
behavioral20
Sample
Fortnite Hack v1.17/For injector.exe
Resource
win10v2004-20220721-en
Behavioral task
behavioral21
Sample
Fortnite Hack v1.17/Newtonsoft.Json.dll
Resource
win7-20220715-en
Behavioral task
behavioral22
Sample
Fortnite Hack v1.17/Newtonsoft.Json.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral23
Sample
Fortnite Hack v1.17/RestSharp.dll
Resource
win7-20220718-en
Behavioral task
behavioral24
Sample
Fortnite Hack v1.17/RestSharp.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral25
Sample
Fortnite Hack v1.17/injector.exe
Resource
win7-20220718-en
Behavioral task
behavioral26
Sample
Fortnite Hack v1.17/injector.exe
Resource
win10v2004-20220721-en
Behavioral task
behavioral27
Sample
Fortnite Hack v1.17/laways.dll
Resource
win7-20220715-en
Behavioral task
behavioral28
Sample
Fortnite Hack v1.17/laways.dll
Resource
win10v2004-20220722-en
Behavioral task
behavioral29
Sample
Fortnite Hack v1.17/oo2core_8_win64.dll
Resource
win7-20220715-en
Behavioral task
behavioral30
Sample
Fortnite Hack v1.17/oo2core_8_win64.dll
Resource
win10v2004-20220721-en
General
-
Target
Fortnite Hack v1.17/AutoUpdate v2/update.exe
-
Size
504KB
-
MD5
b989834fe117f763a5b08223d839f4e9
-
SHA1
06798c3a87b1ca1ca62f5571c36e44433eb92f5c
-
SHA256
4e98f37fb1499cc9ccd6c84c9e920bbad3784fac3acd084a7113d788e87d5d69
-
SHA512
73a38d45d6c872be00e02cf1360eaa151acfe569a9d31ba3075cb34e63b907b63a652c9d7979bbebbbc46c6177d9083b7775f2105871b37db98ceda1e1920129
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
conhost.exesvhost.exeMoUSO.exepid process 4996 conhost.exe 632 svhost.exe 600 MoUSO.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
update.exesvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
update.exepowershell.exepowershell.exepowershell.exeMoUSO.exepid process 4240 update.exe 3916 powershell.exe 3916 powershell.exe 3660 powershell.exe 3660 powershell.exe 3584 powershell.exe 3584 powershell.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe 600 MoUSO.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
update.exepowershell.execonhost.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4240 update.exe Token: SeDebugPrivilege 3916 powershell.exe Token: SeDebugPrivilege 4996 conhost.exe Token: SeDebugPrivilege 3660 powershell.exe Token: SeDebugPrivilege 3584 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
update.execonhost.exesvhost.execmd.exedescription pid process target process PID 4240 wrote to memory of 4996 4240 update.exe conhost.exe PID 4240 wrote to memory of 4996 4240 update.exe conhost.exe PID 4240 wrote to memory of 4996 4240 update.exe conhost.exe PID 4240 wrote to memory of 632 4240 update.exe svhost.exe PID 4240 wrote to memory of 632 4240 update.exe svhost.exe PID 4240 wrote to memory of 632 4240 update.exe svhost.exe PID 4996 wrote to memory of 4312 4996 conhost.exe cmd.exe PID 4996 wrote to memory of 4312 4996 conhost.exe cmd.exe PID 4996 wrote to memory of 4312 4996 conhost.exe cmd.exe PID 632 wrote to memory of 4720 632 svhost.exe schtasks.exe PID 632 wrote to memory of 4720 632 svhost.exe schtasks.exe PID 632 wrote to memory of 4720 632 svhost.exe schtasks.exe PID 4312 wrote to memory of 2260 4312 cmd.exe chcp.com PID 4312 wrote to memory of 2260 4312 cmd.exe chcp.com PID 4312 wrote to memory of 2260 4312 cmd.exe chcp.com PID 4312 wrote to memory of 3916 4312 cmd.exe powershell.exe PID 4312 wrote to memory of 3916 4312 cmd.exe powershell.exe PID 4312 wrote to memory of 3916 4312 cmd.exe powershell.exe PID 4312 wrote to memory of 3660 4312 cmd.exe powershell.exe PID 4312 wrote to memory of 3660 4312 cmd.exe powershell.exe PID 4312 wrote to memory of 3660 4312 cmd.exe powershell.exe PID 4312 wrote to memory of 3584 4312 cmd.exe powershell.exe PID 4312 wrote to memory of 3584 4312 cmd.exe powershell.exe PID 4312 wrote to memory of 3584 4312 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v1.17\AutoUpdate v2\update.exe"C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v1.17\AutoUpdate v2\update.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\RuntimeBroker" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\MicrosoftSystemData"3⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\chcp.comchcp 12514⤵PID:2260
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\RuntimeBroker"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\MicrosoftSystemData"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"3⤵
- Creates scheduled task(s)
PID:4720
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD51b3021b87d59d844cc30f0fecf3c7968
SHA1f74e285b478fe5e097cf340ceeb688eb9215c40d
SHA25690d33787e927a2d0495352e080dd86691012603fa0b808d7a10d6c2e9ff9753e
SHA5120684813f20864b671b060c57c7a9be8492d5f8def84e69238e192b60cb0f708d745d0519285cfb75d590ea745354ed3166c219ce15ad87e4c22094c1c6b5c10b
-
Filesize
18KB
MD5299c5ae42b2cfe9af34052d9a155ee26
SHA1f38043f6860cf95ce5cf737155dc3297d1f650a7
SHA25650ce7ee3eb5eee85b2bba2f4944174efbb11af280abbeef6201fb62b493775ad
SHA512f7f745dbe226152f2f5f75115d3d5e4ec2d47bf8eeb8f78fda75f7f15f5db2edc738aae36d258d900c06bee60859e64f2d264e0ac541dc8b2c518fb8433371c7
-
Filesize
91KB
MD5771731378a96560cd15d4cf5b2808aed
SHA1d9c4ed0e64b543c391a6d83f8347ace7bc43e536
SHA2560fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd
SHA5123c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db
-
Filesize
91KB
MD5771731378a96560cd15d4cf5b2808aed
SHA1d9c4ed0e64b543c391a6d83f8347ace7bc43e536
SHA2560fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd
SHA5123c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80