4c08a8f3c94eb025877f8cb8ae3018578183d5b5e829280fee70fb700f04e428

Analysis

max time kernel
326s
max time network
312s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortnite Hack v1.17/AutoUpdate v2/update.exe
Size

504KB
MD5

b989834fe117f763a5b08223d839f4e9
SHA1

06798c3a87b1ca1ca62f5571c36e44433eb92f5c
SHA256

4e98f37fb1499cc9ccd6c84c9e920bbad3784fac3acd084a7113d788e87d5d69
SHA512

73a38d45d6c872be00e02cf1360eaa151acfe569a9d31ba3075cb34e63b907b63a652c9d7979bbebbbc46c6177d9083b7775f2105871b37db98ceda1e1920129

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

conhost.exesvhost.exeMoUSO.exe

pid process

4996 conhost.exe
632 svhost.exe
600 MoUSO.exe

pid	process
4996	conhost.exe
632	svhost.exe
600	MoUSO.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

update.exesvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	svhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4720 schtasks.exe

pid	process
4720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

update.exepowershell.exepowershell.exepowershell.exeMoUSO.exe

pid	process
4240	update.exe
3916	powershell.exe
3916	powershell.exe
3660	powershell.exe
3660	powershell.exe
3584	powershell.exe
3584	powershell.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe
600	MoUSO.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

update.exepowershell.execonhost.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4240	update.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	4996	conhost.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

update.execonhost.exesvhost.execmd.exe

description	pid	process	target process
PID 4240 wrote to memory of 4996	4240	update.exe	conhost.exe
PID 4240 wrote to memory of 4996	4240	update.exe	conhost.exe
PID 4240 wrote to memory of 4996	4240	update.exe	conhost.exe
PID 4240 wrote to memory of 632	4240	update.exe	svhost.exe
PID 4240 wrote to memory of 632	4240	update.exe	svhost.exe
PID 4240 wrote to memory of 632	4240	update.exe	svhost.exe
PID 4996 wrote to memory of 4312	4996	conhost.exe	cmd.exe
PID 4996 wrote to memory of 4312	4996	conhost.exe	cmd.exe
PID 4996 wrote to memory of 4312	4996	conhost.exe	cmd.exe
PID 632 wrote to memory of 4720	632	svhost.exe	schtasks.exe
PID 632 wrote to memory of 4720	632	svhost.exe	schtasks.exe
PID 632 wrote to memory of 4720	632	svhost.exe	schtasks.exe
PID 4312 wrote to memory of 2260	4312	cmd.exe	chcp.com
PID 4312 wrote to memory of 2260	4312	cmd.exe	chcp.com
PID 4312 wrote to memory of 2260	4312	cmd.exe	chcp.com
PID 4312 wrote to memory of 3916	4312	cmd.exe	powershell.exe
PID 4312 wrote to memory of 3916	4312	cmd.exe	powershell.exe
PID 4312 wrote to memory of 3916	4312	cmd.exe	powershell.exe
PID 4312 wrote to memory of 3660	4312	cmd.exe	powershell.exe
PID 4312 wrote to memory of 3660	4312	cmd.exe	powershell.exe
PID 4312 wrote to memory of 3660	4312	cmd.exe	powershell.exe
PID 4312 wrote to memory of 3584	4312	cmd.exe	powershell.exe
PID 4312 wrote to memory of 3584	4312	cmd.exe	powershell.exe
PID 4312 wrote to memory of 3584	4312	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v1.17\AutoUpdate v2\update.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v1.17\AutoUpdate v2\update.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240

C:\Users\Admin\AppData\Local\Temp\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\RuntimeBroker" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\MicrosoftSystemData"
3⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:2260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\RuntimeBroker"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\MicrosoftSystemData"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
3⤵
- Creates scheduled task(s)
PID:4720

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1b3021b87d59d844cc30f0fecf3c7968

SHA1
f74e285b478fe5e097cf340ceeb688eb9215c40d

SHA256
90d33787e927a2d0495352e080dd86691012603fa0b808d7a10d6c2e9ff9753e

SHA512
0684813f20864b671b060c57c7a9be8492d5f8def84e69238e192b60cb0f708d745d0519285cfb75d590ea745354ed3166c219ce15ad87e4c22094c1c6b5c10b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
299c5ae42b2cfe9af34052d9a155ee26

SHA1
f38043f6860cf95ce5cf737155dc3297d1f650a7

SHA256
50ce7ee3eb5eee85b2bba2f4944174efbb11af280abbeef6201fb62b493775ad

SHA512
f7f745dbe226152f2f5f75115d3d5e4ec2d47bf8eeb8f78fda75f7f15f5db2edc738aae36d258d900c06bee60859e64f2d264e0ac541dc8b2c518fb8433371c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
91KB

MD5
771731378a96560cd15d4cf5b2808aed

SHA1
d9c4ed0e64b543c391a6d83f8347ace7bc43e536

SHA256
0fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd

SHA512
3c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
91KB

MD5
771731378a96560cd15d4cf5b2808aed

SHA1
d9c4ed0e64b543c391a6d83f8347ace7bc43e536

SHA256
0fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd

SHA512
3c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
memory/632-149-0x0000000000000000-mapping.dmp

Download
memory/2260-154-0x0000000000000000-mapping.dmp

Download
memory/3584-175-0x0000000000000000-mapping.dmp

Download
memory/3584-177-0x0000000070780000-0x00000000707CC000-memory.dmp

Filesize
304KB

Download
memory/3660-174-0x0000000070780000-0x00000000707CC000-memory.dmp

Filesize
304KB

Download
memory/3660-171-0x0000000000000000-mapping.dmp

Download
memory/3916-168-0x00000000072C0000-0x00000000072CE000-memory.dmp

Filesize
56KB

Download
memory/3916-164-0x0000000007700000-0x0000000007D7A000-memory.dmp

Filesize
6.5MB

Download
memory/3916-170-0x0000000007300000-0x0000000007308000-memory.dmp

Filesize
32KB

Download
memory/3916-169-0x00000000073C0000-0x00000000073DA000-memory.dmp

Filesize
104KB

Download
memory/3916-167-0x0000000007320000-0x00000000073B6000-memory.dmp

Filesize
600KB

Download
memory/3916-166-0x00000000070F0000-0x00000000070FA000-memory.dmp

Filesize
40KB

Download
memory/3916-165-0x00000000070A0000-0x00000000070BA000-memory.dmp

Filesize
104KB

Download
memory/3916-163-0x0000000006310000-0x000000000632E000-memory.dmp

Filesize
120KB

Download
memory/3916-155-0x0000000000000000-mapping.dmp

Download
memory/3916-156-0x0000000004810000-0x0000000004846000-memory.dmp

Filesize
216KB

Download
memory/3916-157-0x0000000004E80000-0x00000000054A8000-memory.dmp

Filesize
6.2MB

Download
memory/3916-158-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/3916-159-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/3916-160-0x0000000005D70000-0x0000000005D8E000-memory.dmp

Filesize
120KB

Download
memory/3916-161-0x0000000006330000-0x0000000006362000-memory.dmp

Filesize
200KB

Download
memory/3916-162-0x0000000071F30000-0x0000000071F7C000-memory.dmp

Filesize
304KB

Download
memory/4240-141-0x0000000009FD0000-0x000000000A192000-memory.dmp

Filesize
1.8MB

Download
memory/4240-143-0x000000000A210000-0x000000000A260000-memory.dmp

Filesize
320KB

Download
memory/4240-142-0x000000000A6D0000-0x000000000ABFC000-memory.dmp

Filesize
5.2MB

Download
memory/4240-133-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4240-140-0x0000000009560000-0x00000000095C6000-memory.dmp

Filesize
408KB

Download
memory/4240-132-0x00000000065E0000-0x0000000006BF8000-memory.dmp

Filesize
6.1MB

Download
memory/4240-134-0x00000000061A0000-0x00000000062AA000-memory.dmp

Filesize
1.0MB

Download
memory/4240-139-0x00000000094A0000-0x00000000094BE000-memory.dmp

Filesize
120KB

Download
memory/4240-135-0x0000000008230000-0x000000000826C000-memory.dmp

Filesize
240KB

Download
memory/4240-136-0x00000000090E0000-0x0000000009156000-memory.dmp

Filesize
472KB

Download
memory/4240-137-0x0000000009200000-0x0000000009292000-memory.dmp

Filesize
584KB

Download
memory/4240-138-0x0000000009850000-0x0000000009DF4000-memory.dmp

Filesize
5.6MB

Download
memory/4312-152-0x0000000000000000-mapping.dmp

Download
memory/4720-153-0x0000000000000000-mapping.dmp

Download
memory/4996-147-0x00000000006E0000-0x00000000006FE000-memory.dmp

Filesize
120KB

Download
memory/4996-148-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

Filesize
40KB

Download
memory/4996-144-0x0000000000000000-mapping.dmp

Download