Overview
overview
10Static
static
Fortnite H...PC.dll
windows7-x64
1Fortnite H...PC.dll
windows10-2004-x64
1Fortnite H...ip.dll
windows7-x64
1Fortnite H...ip.dll
windows10-2004-x64
1Fortnite H...ft.dll
windows7-x64
1Fortnite H...ft.dll
windows10-2004-x64
1Fortnite H...er.exe
windows7-x64
3Fortnite H...er.exe
windows10-2004-x64
3Fortnite H...te.exe
windows7-x64
10Fortnite H...te.exe
windows10-2004-x64
8Fortnite H...er.dll
windows7-x64
1Fortnite H...er.dll
windows10-2004-x64
1Fortnite H...64.dll
windows7-x64
3Fortnite H...64.dll
windows10-2004-x64
3Fortnite H...PC.dll
windows7-x64
1Fortnite H...PC.dll
windows10-2004-x64
1Fortnite H...ip.dll
windows7-x64
1Fortnite H...ip.dll
windows10-2004-x64
1Fortnite H...or.exe
windows7-x64
3Fortnite H...or.exe
windows10-2004-x64
3Fortnite H...on.dll
windows7-x64
1Fortnite H...on.dll
windows10-2004-x64
1Fortnite H...rp.dll
windows7-x64
1Fortnite H...rp.dll
windows10-2004-x64
1Fortnite H...or.exe
windows7-x64
10Fortnite H...or.exe
windows10-2004-x64
8Fortnite H...ys.dll
windows7-x64
1Fortnite H...ys.dll
windows10-2004-x64
1Fortnite H...64.dll
windows7-x64
3Fortnite H...64.dll
windows10-2004-x64
5Analysis
-
max time kernel
335s -
max time network
323s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2022 16:35
Static task
static1
Behavioral task
behavioral1
Sample
Fortnite Hack v1.17/AutoUpdate v2/DiscordRPC.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
Fortnite Hack v1.17/AutoUpdate v2/DiscordRPC.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral3
Sample
Fortnite Hack v1.17/AutoUpdate v2/DotNetZip.dll
Resource
win7-20220715-en
Behavioral task
behavioral4
Sample
Fortnite Hack v1.17/AutoUpdate v2/DotNetZip.dll
Resource
win10v2004-20220722-en
Behavioral task
behavioral5
Sample
Fortnite Hack v1.17/AutoUpdate v2/Newtonsoft.dll
Resource
win7-20220718-en
Behavioral task
behavioral6
Sample
Fortnite Hack v1.17/AutoUpdate v2/Newtonsoft.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral7
Sample
Fortnite Hack v1.17/AutoUpdate v2/for updater.exe
Resource
win7-20220715-en
Behavioral task
behavioral8
Sample
Fortnite Hack v1.17/AutoUpdate v2/for updater.exe
Resource
win10v2004-20220721-en
Behavioral task
behavioral9
Sample
Fortnite Hack v1.17/AutoUpdate v2/update.exe
Resource
win7-20220718-en
Behavioral task
behavioral10
Sample
Fortnite Hack v1.17/AutoUpdate v2/update.exe
Resource
win10v2004-20220722-en
Behavioral task
behavioral11
Sample
Fortnite Hack v1.17/AutoUpdate v2/updater.dll
Resource
win7-20220715-en
Behavioral task
behavioral12
Sample
Fortnite Hack v1.17/AutoUpdate v2/updater.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral13
Sample
Fortnite Hack v1.17/AutoUpdate v2/win64.dll
Resource
win7-20220718-en
Behavioral task
behavioral14
Sample
Fortnite Hack v1.17/AutoUpdate v2/win64.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral15
Sample
Fortnite Hack v1.17/DiscordRPC.dll
Resource
win7-20220718-en
Behavioral task
behavioral16
Sample
Fortnite Hack v1.17/DiscordRPC.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral17
Sample
Fortnite Hack v1.17/DotNetZip.dll
Resource
win7-20220715-en
Behavioral task
behavioral18
Sample
Fortnite Hack v1.17/DotNetZip.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral19
Sample
Fortnite Hack v1.17/For injector.exe
Resource
win7-20220718-en
Behavioral task
behavioral20
Sample
Fortnite Hack v1.17/For injector.exe
Resource
win10v2004-20220721-en
Behavioral task
behavioral21
Sample
Fortnite Hack v1.17/Newtonsoft.Json.dll
Resource
win7-20220715-en
Behavioral task
behavioral22
Sample
Fortnite Hack v1.17/Newtonsoft.Json.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral23
Sample
Fortnite Hack v1.17/RestSharp.dll
Resource
win7-20220718-en
Behavioral task
behavioral24
Sample
Fortnite Hack v1.17/RestSharp.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral25
Sample
Fortnite Hack v1.17/injector.exe
Resource
win7-20220718-en
Behavioral task
behavioral26
Sample
Fortnite Hack v1.17/injector.exe
Resource
win10v2004-20220721-en
Behavioral task
behavioral27
Sample
Fortnite Hack v1.17/laways.dll
Resource
win7-20220715-en
Behavioral task
behavioral28
Sample
Fortnite Hack v1.17/laways.dll
Resource
win10v2004-20220722-en
Behavioral task
behavioral29
Sample
Fortnite Hack v1.17/oo2core_8_win64.dll
Resource
win7-20220715-en
Behavioral task
behavioral30
Sample
Fortnite Hack v1.17/oo2core_8_win64.dll
Resource
win10v2004-20220721-en
General
-
Target
Fortnite Hack v1.17/injector.exe
-
Size
504KB
-
MD5
b989834fe117f763a5b08223d839f4e9
-
SHA1
06798c3a87b1ca1ca62f5571c36e44433eb92f5c
-
SHA256
4e98f37fb1499cc9ccd6c84c9e920bbad3784fac3acd084a7113d788e87d5d69
-
SHA512
73a38d45d6c872be00e02cf1360eaa151acfe569a9d31ba3075cb34e63b907b63a652c9d7979bbebbbc46c6177d9083b7775f2105871b37db98ceda1e1920129
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
conhost.exesvhost.exeMoUSO.exepid process 640 conhost.exe 3224 svhost.exe 3252 MoUSO.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svhost.exeinjector.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation svhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation injector.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
injector.exepowershell.exepowershell.exepowershell.exeMoUSO.exepid process 4696 injector.exe 4324 powershell.exe 4324 powershell.exe 1280 powershell.exe 1280 powershell.exe 3936 powershell.exe 3936 powershell.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe 3252 MoUSO.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
injector.exepowershell.execonhost.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4696 injector.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeDebugPrivilege 640 conhost.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeDebugPrivilege 3936 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
injector.execonhost.execmd.exesvhost.exedescription pid process target process PID 4696 wrote to memory of 640 4696 injector.exe conhost.exe PID 4696 wrote to memory of 640 4696 injector.exe conhost.exe PID 4696 wrote to memory of 640 4696 injector.exe conhost.exe PID 4696 wrote to memory of 3224 4696 injector.exe svhost.exe PID 4696 wrote to memory of 3224 4696 injector.exe svhost.exe PID 4696 wrote to memory of 3224 4696 injector.exe svhost.exe PID 640 wrote to memory of 3480 640 conhost.exe cmd.exe PID 640 wrote to memory of 3480 640 conhost.exe cmd.exe PID 640 wrote to memory of 3480 640 conhost.exe cmd.exe PID 3480 wrote to memory of 1464 3480 cmd.exe chcp.com PID 3480 wrote to memory of 1464 3480 cmd.exe chcp.com PID 3480 wrote to memory of 1464 3480 cmd.exe chcp.com PID 3480 wrote to memory of 4324 3480 cmd.exe powershell.exe PID 3480 wrote to memory of 4324 3480 cmd.exe powershell.exe PID 3480 wrote to memory of 4324 3480 cmd.exe powershell.exe PID 3224 wrote to memory of 1176 3224 svhost.exe schtasks.exe PID 3224 wrote to memory of 1176 3224 svhost.exe schtasks.exe PID 3224 wrote to memory of 1176 3224 svhost.exe schtasks.exe PID 3480 wrote to memory of 1280 3480 cmd.exe powershell.exe PID 3480 wrote to memory of 1280 3480 cmd.exe powershell.exe PID 3480 wrote to memory of 1280 3480 cmd.exe powershell.exe PID 3480 wrote to memory of 3936 3480 cmd.exe powershell.exe PID 3480 wrote to memory of 3936 3480 cmd.exe powershell.exe PID 3480 wrote to memory of 3936 3480 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v1.17\injector.exe"C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v1.17\injector.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\RuntimeBroker" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\MicrosoftSystemData"3⤵
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\chcp.comchcp 12514⤵PID:1464
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\RuntimeBroker"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\MicrosoftSystemData"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"3⤵
- Creates scheduled task(s)
PID:1176
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3252
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD525cc162267929fe37e2965498cb3c64f
SHA1cbdb1465b33cb042b0f222f3fbfd3bd801f4e31e
SHA2563c4de8ab262c6fc334f5b7d851f36b5ce05d1a5c1cc78ab9c562b147e6352bfb
SHA512971fa5bbef2f123c2ede891258d6a638725c0e011f7290ec58f6756f5e6a5f1f7651b7908a79866d324156cd5797aa07c53bbf68685d747802690fcf0b55739f
-
Filesize
18KB
MD5dd4849f80bd969fe8044f7a9a10b7dee
SHA155c5834db0522c1c6c2f64a416ce5bef561dddf8
SHA2560bd30a1a7d25ba24f998552483da7852b30070c683a2c2212a7f39db2e4b426f
SHA512e2f1cad19acbac67b0936114d6654f3db0b17390a51c3c7576649f8f7a69e9f5f3ac28a35decbb7aaae549e24b8bcea43b7bef8f7d1e780e5d28462637d4560b
-
Filesize
91KB
MD5771731378a96560cd15d4cf5b2808aed
SHA1d9c4ed0e64b543c391a6d83f8347ace7bc43e536
SHA2560fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd
SHA5123c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db
-
Filesize
91KB
MD5771731378a96560cd15d4cf5b2808aed
SHA1d9c4ed0e64b543c391a6d83f8347ace7bc43e536
SHA2560fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd
SHA5123c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80