4c08a8f3c94eb025877f8cb8ae3018578183d5b5e829280fee70fb700f04e428

Analysis

max time kernel
335s
max time network
323s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortnite Hack v1.17/injector.exe
Size

504KB
MD5

b989834fe117f763a5b08223d839f4e9
SHA1

06798c3a87b1ca1ca62f5571c36e44433eb92f5c
SHA256

4e98f37fb1499cc9ccd6c84c9e920bbad3784fac3acd084a7113d788e87d5d69
SHA512

73a38d45d6c872be00e02cf1360eaa151acfe569a9d31ba3075cb34e63b907b63a652c9d7979bbebbbc46c6177d9083b7775f2105871b37db98ceda1e1920129

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

conhost.exesvhost.exeMoUSO.exe

pid process

640 conhost.exe
3224 svhost.exe
3252 MoUSO.exe

pid	process
640	conhost.exe
3224	svhost.exe
3252	MoUSO.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svhost.exeinjector.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	svhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	injector.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1176 schtasks.exe

pid	process
1176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

injector.exepowershell.exepowershell.exepowershell.exeMoUSO.exe

pid	process
4696	injector.exe
4324	powershell.exe
4324	powershell.exe
1280	powershell.exe
1280	powershell.exe
3936	powershell.exe
3936	powershell.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe
3252	MoUSO.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

injector.exepowershell.execonhost.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4696	injector.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	640	conhost.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

injector.execonhost.execmd.exesvhost.exe

description	pid	process	target process
PID 4696 wrote to memory of 640	4696	injector.exe	conhost.exe
PID 4696 wrote to memory of 640	4696	injector.exe	conhost.exe
PID 4696 wrote to memory of 640	4696	injector.exe	conhost.exe
PID 4696 wrote to memory of 3224	4696	injector.exe	svhost.exe
PID 4696 wrote to memory of 3224	4696	injector.exe	svhost.exe
PID 4696 wrote to memory of 3224	4696	injector.exe	svhost.exe
PID 640 wrote to memory of 3480	640	conhost.exe	cmd.exe
PID 640 wrote to memory of 3480	640	conhost.exe	cmd.exe
PID 640 wrote to memory of 3480	640	conhost.exe	cmd.exe
PID 3480 wrote to memory of 1464	3480	cmd.exe	chcp.com
PID 3480 wrote to memory of 1464	3480	cmd.exe	chcp.com
PID 3480 wrote to memory of 1464	3480	cmd.exe	chcp.com
PID 3480 wrote to memory of 4324	3480	cmd.exe	powershell.exe
PID 3480 wrote to memory of 4324	3480	cmd.exe	powershell.exe
PID 3480 wrote to memory of 4324	3480	cmd.exe	powershell.exe
PID 3224 wrote to memory of 1176	3224	svhost.exe	schtasks.exe
PID 3224 wrote to memory of 1176	3224	svhost.exe	schtasks.exe
PID 3224 wrote to memory of 1176	3224	svhost.exe	schtasks.exe
PID 3480 wrote to memory of 1280	3480	cmd.exe	powershell.exe
PID 3480 wrote to memory of 1280	3480	cmd.exe	powershell.exe
PID 3480 wrote to memory of 1280	3480	cmd.exe	powershell.exe
PID 3480 wrote to memory of 3936	3480	cmd.exe	powershell.exe
PID 3480 wrote to memory of 3936	3480	cmd.exe	powershell.exe
PID 3480 wrote to memory of 3936	3480	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v1.17\injector.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v1.17\injector.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696

C:\Users\Admin\AppData\Local\Temp\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\conhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\RuntimeBroker" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\MicrosoftSystemData"
3⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\RuntimeBroker"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\MicrosoftSystemData"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
3⤵
- Creates scheduled task(s)
PID:1176

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
25cc162267929fe37e2965498cb3c64f

SHA1
cbdb1465b33cb042b0f222f3fbfd3bd801f4e31e

SHA256
3c4de8ab262c6fc334f5b7d851f36b5ce05d1a5c1cc78ab9c562b147e6352bfb

SHA512
971fa5bbef2f123c2ede891258d6a638725c0e011f7290ec58f6756f5e6a5f1f7651b7908a79866d324156cd5797aa07c53bbf68685d747802690fcf0b55739f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
dd4849f80bd969fe8044f7a9a10b7dee

SHA1
55c5834db0522c1c6c2f64a416ce5bef561dddf8

SHA256
0bd30a1a7d25ba24f998552483da7852b30070c683a2c2212a7f39db2e4b426f

SHA512
e2f1cad19acbac67b0936114d6654f3db0b17390a51c3c7576649f8f7a69e9f5f3ac28a35decbb7aaae549e24b8bcea43b7bef8f7d1e780e5d28462637d4560b

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
91KB

MD5
771731378a96560cd15d4cf5b2808aed

SHA1
d9c4ed0e64b543c391a6d83f8347ace7bc43e536

SHA256
0fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd

SHA512
3c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
91KB

MD5
771731378a96560cd15d4cf5b2808aed

SHA1
d9c4ed0e64b543c391a6d83f8347ace7bc43e536

SHA256
0fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd

SHA512
3c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
123KB

MD5
1a07b35055a94e295213e75c7252b96f

SHA1
137aaec61339f2adadba840544da32458f19e445

SHA256
d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd

SHA512
1b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80

Download Submit
memory/640-146-0x0000000004C90000-0x0000000004C9A000-memory.dmp

Filesize
40KB

Download
memory/640-145-0x00000000002E0000-0x00000000002FE000-memory.dmp

Filesize
120KB

Download
memory/640-142-0x0000000000000000-mapping.dmp

Download
memory/1176-153-0x0000000000000000-mapping.dmp

Download
memory/1280-169-0x0000000000000000-mapping.dmp

Download
memory/1280-172-0x0000000071210000-0x000000007125C000-memory.dmp

Filesize
304KB

Download
memory/1464-151-0x0000000000000000-mapping.dmp

Download
memory/3224-147-0x0000000000000000-mapping.dmp

Download
memory/3480-150-0x0000000000000000-mapping.dmp

Download
memory/3936-173-0x0000000000000000-mapping.dmp

Download
memory/3936-175-0x0000000071210000-0x000000007125C000-memory.dmp

Filesize
304KB

Download
memory/4324-154-0x00000000032A0000-0x00000000032D6000-memory.dmp

Filesize
216KB

Download
memory/4324-162-0x00000000081E0000-0x000000000885A000-memory.dmp

Filesize
6.5MB

Download
memory/4324-152-0x0000000000000000-mapping.dmp

Download
memory/4324-168-0x0000000007DE0000-0x0000000007DE8000-memory.dmp

Filesize
32KB

Download
memory/4324-167-0x0000000007EA0000-0x0000000007EBA000-memory.dmp

Filesize
104KB

Download
memory/4324-155-0x0000000005A60000-0x0000000006088000-memory.dmp

Filesize
6.2MB

Download
memory/4324-156-0x00000000060C0000-0x00000000060E2000-memory.dmp

Filesize
136KB

Download
memory/4324-157-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/4324-158-0x0000000006750000-0x000000000676E000-memory.dmp

Filesize
120KB

Download
memory/4324-161-0x0000000006DE0000-0x0000000006DFE000-memory.dmp

Filesize
120KB

Download
memory/4324-160-0x000000006E980000-0x000000006E9CC000-memory.dmp

Filesize
304KB

Download
memory/4324-159-0x0000000007A40000-0x0000000007A72000-memory.dmp

Filesize
200KB

Download
memory/4324-163-0x0000000007B80000-0x0000000007B9A000-memory.dmp

Filesize
104KB

Download
memory/4324-166-0x0000000007DA0000-0x0000000007DAE000-memory.dmp

Filesize
56KB

Download
memory/4324-164-0x0000000007BD0000-0x0000000007BDA000-memory.dmp

Filesize
40KB

Download
memory/4324-165-0x0000000007E00000-0x0000000007E96000-memory.dmp

Filesize
600KB

Download
memory/4696-141-0x0000000008C20000-0x0000000008C70000-memory.dmp

Filesize
320KB

Download
memory/4696-130-0x0000000006670000-0x0000000006C88000-memory.dmp

Filesize
6.1MB

Download
memory/4696-140-0x0000000009AB0000-0x0000000009FDC000-memory.dmp

Filesize
5.2MB

Download
memory/4696-139-0x00000000093B0000-0x0000000009572000-memory.dmp

Filesize
1.8MB

Download
memory/4696-138-0x0000000008AC0000-0x0000000008B26000-memory.dmp

Filesize
408KB

Download
memory/4696-137-0x0000000008710000-0x000000000872E000-memory.dmp

Filesize
120KB

Download
memory/4696-136-0x0000000008E00000-0x00000000093A4000-memory.dmp

Filesize
5.6MB

Download
memory/4696-135-0x00000000087B0000-0x0000000008842000-memory.dmp

Filesize
584KB

Download
memory/4696-134-0x0000000008690000-0x0000000008706000-memory.dmp

Filesize
472KB

Download
memory/4696-133-0x0000000006090000-0x00000000060CC000-memory.dmp

Filesize
240KB

Download
memory/4696-132-0x0000000008200000-0x000000000830A000-memory.dmp

Filesize
1.0MB

Download
memory/4696-131-0x0000000008010000-0x0000000008022000-memory.dmp

Filesize
72KB

Download