Overview
overview
10Static
static
Fortnite H...PC.dll
windows7-x64
1Fortnite H...PC.dll
windows10-2004-x64
1Fortnite H...ip.dll
windows7-x64
1Fortnite H...ip.dll
windows10-2004-x64
1Fortnite H...ft.dll
windows7-x64
1Fortnite H...ft.dll
windows10-2004-x64
1Fortnite H...er.exe
windows7-x64
3Fortnite H...er.exe
windows10-2004-x64
3Fortnite H...te.exe
windows7-x64
10Fortnite H...te.exe
windows10-2004-x64
8Fortnite H...er.dll
windows7-x64
1Fortnite H...er.dll
windows10-2004-x64
1Fortnite H...64.dll
windows7-x64
3Fortnite H...64.dll
windows10-2004-x64
3Fortnite H...PC.dll
windows7-x64
1Fortnite H...PC.dll
windows10-2004-x64
1Fortnite H...ip.dll
windows7-x64
1Fortnite H...ip.dll
windows10-2004-x64
1Fortnite H...or.exe
windows7-x64
3Fortnite H...or.exe
windows10-2004-x64
3Fortnite H...on.dll
windows7-x64
1Fortnite H...on.dll
windows10-2004-x64
1Fortnite H...rp.dll
windows7-x64
1Fortnite H...rp.dll
windows10-2004-x64
1Fortnite H...or.exe
windows7-x64
10Fortnite H...or.exe
windows10-2004-x64
8Fortnite H...ys.dll
windows7-x64
1Fortnite H...ys.dll
windows10-2004-x64
1Fortnite H...64.dll
windows7-x64
3Fortnite H...64.dll
windows10-2004-x64
5Analysis
-
max time kernel
339s -
max time network
351s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
30-07-2022 16:35
Static task
static1
Behavioral task
behavioral1
Sample
Fortnite Hack v1.17/AutoUpdate v2/DiscordRPC.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
Fortnite Hack v1.17/AutoUpdate v2/DiscordRPC.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral3
Sample
Fortnite Hack v1.17/AutoUpdate v2/DotNetZip.dll
Resource
win7-20220715-en
Behavioral task
behavioral4
Sample
Fortnite Hack v1.17/AutoUpdate v2/DotNetZip.dll
Resource
win10v2004-20220722-en
Behavioral task
behavioral5
Sample
Fortnite Hack v1.17/AutoUpdate v2/Newtonsoft.dll
Resource
win7-20220718-en
Behavioral task
behavioral6
Sample
Fortnite Hack v1.17/AutoUpdate v2/Newtonsoft.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral7
Sample
Fortnite Hack v1.17/AutoUpdate v2/for updater.exe
Resource
win7-20220715-en
Behavioral task
behavioral8
Sample
Fortnite Hack v1.17/AutoUpdate v2/for updater.exe
Resource
win10v2004-20220721-en
Behavioral task
behavioral9
Sample
Fortnite Hack v1.17/AutoUpdate v2/update.exe
Resource
win7-20220718-en
Behavioral task
behavioral10
Sample
Fortnite Hack v1.17/AutoUpdate v2/update.exe
Resource
win10v2004-20220722-en
Behavioral task
behavioral11
Sample
Fortnite Hack v1.17/AutoUpdate v2/updater.dll
Resource
win7-20220715-en
Behavioral task
behavioral12
Sample
Fortnite Hack v1.17/AutoUpdate v2/updater.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral13
Sample
Fortnite Hack v1.17/AutoUpdate v2/win64.dll
Resource
win7-20220718-en
Behavioral task
behavioral14
Sample
Fortnite Hack v1.17/AutoUpdate v2/win64.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral15
Sample
Fortnite Hack v1.17/DiscordRPC.dll
Resource
win7-20220718-en
Behavioral task
behavioral16
Sample
Fortnite Hack v1.17/DiscordRPC.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral17
Sample
Fortnite Hack v1.17/DotNetZip.dll
Resource
win7-20220715-en
Behavioral task
behavioral18
Sample
Fortnite Hack v1.17/DotNetZip.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral19
Sample
Fortnite Hack v1.17/For injector.exe
Resource
win7-20220718-en
Behavioral task
behavioral20
Sample
Fortnite Hack v1.17/For injector.exe
Resource
win10v2004-20220721-en
Behavioral task
behavioral21
Sample
Fortnite Hack v1.17/Newtonsoft.Json.dll
Resource
win7-20220715-en
Behavioral task
behavioral22
Sample
Fortnite Hack v1.17/Newtonsoft.Json.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral23
Sample
Fortnite Hack v1.17/RestSharp.dll
Resource
win7-20220718-en
Behavioral task
behavioral24
Sample
Fortnite Hack v1.17/RestSharp.dll
Resource
win10v2004-20220721-en
Behavioral task
behavioral25
Sample
Fortnite Hack v1.17/injector.exe
Resource
win7-20220718-en
Behavioral task
behavioral26
Sample
Fortnite Hack v1.17/injector.exe
Resource
win10v2004-20220721-en
Behavioral task
behavioral27
Sample
Fortnite Hack v1.17/laways.dll
Resource
win7-20220715-en
Behavioral task
behavioral28
Sample
Fortnite Hack v1.17/laways.dll
Resource
win10v2004-20220722-en
Behavioral task
behavioral29
Sample
Fortnite Hack v1.17/oo2core_8_win64.dll
Resource
win7-20220715-en
Behavioral task
behavioral30
Sample
Fortnite Hack v1.17/oo2core_8_win64.dll
Resource
win10v2004-20220721-en
General
-
Target
Fortnite Hack v1.17/AutoUpdate v2/update.exe
-
Size
504KB
-
MD5
b989834fe117f763a5b08223d839f4e9
-
SHA1
06798c3a87b1ca1ca62f5571c36e44433eb92f5c
-
SHA256
4e98f37fb1499cc9ccd6c84c9e920bbad3784fac3acd084a7113d788e87d5d69
-
SHA512
73a38d45d6c872be00e02cf1360eaa151acfe569a9d31ba3075cb34e63b907b63a652c9d7979bbebbbc46c6177d9083b7775f2105871b37db98ceda1e1920129
Malware Config
Extracted
redline
@fast1q
101.99.93.104:80
-
auth_value
1508fee58f3b525a1013607ab0323781
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral9/memory/1316-56-0x0000000000780000-0x00000000007A0000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
conhost.exesvhost.exeMoUSO.exepid process 1056 conhost.exe 1468 svhost.exe 2032 MoUSO.exe -
Loads dropped DLL 6 IoCs
Processes:
update.execonhost.exesvhost.exepid process 1316 update.exe 1056 conhost.exe 1056 conhost.exe 1316 update.exe 1468 svhost.exe 1468 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
update.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 update.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
update.exepowershell.exepowershell.exepowershell.exeMoUSO.exepid process 1316 update.exe 1804 powershell.exe 1948 powershell.exe 1748 powershell.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe 2032 MoUSO.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
update.execonhost.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1316 update.exe Token: SeRestorePrivilege 1316 update.exe Token: SeBackupPrivilege 1316 update.exe Token: SeDebugPrivilege 1056 conhost.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
update.execonhost.execmd.exesvhost.exetaskeng.exedescription pid process target process PID 1316 wrote to memory of 1056 1316 update.exe conhost.exe PID 1316 wrote to memory of 1056 1316 update.exe conhost.exe PID 1316 wrote to memory of 1056 1316 update.exe conhost.exe PID 1316 wrote to memory of 1056 1316 update.exe conhost.exe PID 1316 wrote to memory of 1056 1316 update.exe conhost.exe PID 1316 wrote to memory of 1056 1316 update.exe conhost.exe PID 1316 wrote to memory of 1056 1316 update.exe conhost.exe PID 1316 wrote to memory of 1468 1316 update.exe svhost.exe PID 1316 wrote to memory of 1468 1316 update.exe svhost.exe PID 1316 wrote to memory of 1468 1316 update.exe svhost.exe PID 1316 wrote to memory of 1468 1316 update.exe svhost.exe PID 1316 wrote to memory of 1468 1316 update.exe svhost.exe PID 1316 wrote to memory of 1468 1316 update.exe svhost.exe PID 1316 wrote to memory of 1468 1316 update.exe svhost.exe PID 1056 wrote to memory of 1720 1056 conhost.exe cmd.exe PID 1056 wrote to memory of 1720 1056 conhost.exe cmd.exe PID 1056 wrote to memory of 1720 1056 conhost.exe cmd.exe PID 1056 wrote to memory of 1720 1056 conhost.exe cmd.exe PID 1056 wrote to memory of 1720 1056 conhost.exe cmd.exe PID 1056 wrote to memory of 1720 1056 conhost.exe cmd.exe PID 1056 wrote to memory of 1720 1056 conhost.exe cmd.exe PID 1720 wrote to memory of 1572 1720 cmd.exe chcp.com PID 1720 wrote to memory of 1572 1720 cmd.exe chcp.com PID 1720 wrote to memory of 1572 1720 cmd.exe chcp.com PID 1720 wrote to memory of 1572 1720 cmd.exe chcp.com PID 1720 wrote to memory of 1572 1720 cmd.exe chcp.com PID 1720 wrote to memory of 1572 1720 cmd.exe chcp.com PID 1720 wrote to memory of 1572 1720 cmd.exe chcp.com PID 1720 wrote to memory of 1804 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1804 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1804 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1804 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1804 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1804 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1804 1720 cmd.exe powershell.exe PID 1468 wrote to memory of 1740 1468 svhost.exe schtasks.exe PID 1468 wrote to memory of 1740 1468 svhost.exe schtasks.exe PID 1468 wrote to memory of 1740 1468 svhost.exe schtasks.exe PID 1468 wrote to memory of 1740 1468 svhost.exe schtasks.exe PID 1468 wrote to memory of 1740 1468 svhost.exe schtasks.exe PID 1468 wrote to memory of 1740 1468 svhost.exe schtasks.exe PID 1468 wrote to memory of 1740 1468 svhost.exe schtasks.exe PID 1720 wrote to memory of 1948 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1948 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1948 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1948 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1948 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1948 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1948 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1748 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1748 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1748 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1748 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1748 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1748 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 1748 1720 cmd.exe powershell.exe PID 564 wrote to memory of 2032 564 taskeng.exe MoUSO.exe PID 564 wrote to memory of 2032 564 taskeng.exe MoUSO.exe PID 564 wrote to memory of 2032 564 taskeng.exe MoUSO.exe PID 564 wrote to memory of 2032 564 taskeng.exe MoUSO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v1.17\AutoUpdate v2\update.exe"C:\Users\Admin\AppData\Local\Temp\Fortnite Hack v1.17\AutoUpdate v2\update.exe"1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\RuntimeBroker" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\MicrosoftSystemData"3⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\chcp.comchcp 12514⤵PID:1572
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\RuntimeBroker"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\MicrosoftSystemData"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"3⤵
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\taskeng.exetaskeng.exe {0CCE80E8-E5AD-48A1-87E1-7E9E039AC29E} S-1-5-21-3762437355-3468409815-1164039494-1000:TZEOUYSL\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize340B
MD534dbc233011790f6f4434732efc01630
SHA1d32be587f90206ad24a22b919f56160c31c3666d
SHA256f7a5bbc360a421cea3842817754ffdc394b4795879804bfae110c6869d47cbd5
SHA512e5b0352ee5d0a4b87d340e2eb2e4fcd8d372c0b33e7756b776bd57755c72967ce4345d8bce3af1b997907c5f9f5c889c10d7613d5cf2ceab0595190b23eb6137
-
Filesize
91KB
MD5771731378a96560cd15d4cf5b2808aed
SHA1d9c4ed0e64b543c391a6d83f8347ace7bc43e536
SHA2560fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd
SHA5123c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db
-
Filesize
91KB
MD5771731378a96560cd15d4cf5b2808aed
SHA1d9c4ed0e64b543c391a6d83f8347ace7bc43e536
SHA2560fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd
SHA5123c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5e2b7695e8c164f8771613d63c3fe74a4
SHA1626ffd348cf7324b4c852f8aa900f5a90a955694
SHA2567ad9093f6742d994fdb6dcdfa7a49937ac0699d95681990b9d3cf49378f51a21
SHA5125aaf01714d57d6eacc156d170a68f6d7d2d2b521f1c310659d0e48deb8f4c26b0d4b70554a7336cd4f3a86baf3196949d93bc4690558987b8e834e1a5c2de8a2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD59341f842f71bc1595d04367105dc8ed0
SHA1712b0fb83605383cdaa16014abf83baa2584841b
SHA256fc5140c510209da80109f802528120ac99b0c50abc9c9522cfbd85633b0f21fe
SHA512b68e753106a372142d21a6b43a6860eecc36964498eb0e676213ac79db2a14371cbda721434abde49640128059c170b6168602f6bb7dd5060a5b12b97b9adb37
-
Filesize
91KB
MD5771731378a96560cd15d4cf5b2808aed
SHA1d9c4ed0e64b543c391a6d83f8347ace7bc43e536
SHA2560fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd
SHA5123c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db
-
Filesize
91KB
MD5771731378a96560cd15d4cf5b2808aed
SHA1d9c4ed0e64b543c391a6d83f8347ace7bc43e536
SHA2560fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd
SHA5123c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db
-
Filesize
91KB
MD5771731378a96560cd15d4cf5b2808aed
SHA1d9c4ed0e64b543c391a6d83f8347ace7bc43e536
SHA2560fa160f044c73e7861ac391e5c97134f4acc78b9a667d01941e404a8413807fd
SHA5123c49e76cb67809beaf81bbcd4505f1c60bdee0ee0a187346331a9db3dcbd923ccc248387f6284c7d7f1354decb1e917a42412b1d0335f5fa751ae4fc4fc832db
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80
-
Filesize
123KB
MD51a07b35055a94e295213e75c7252b96f
SHA1137aaec61339f2adadba840544da32458f19e445
SHA256d1112ff71f6e5bf6ad01fac051f98b2bb1f1d142c38ef084a8386f73a9e02ffd
SHA5121b293fed019a405fb4b9618837cabfd3d6838db51e6ebd015c126ae522d284e4a00efcf2a79430debf022d67f948807ab465df7dcad69e76bd84619130c82c80