Analysis
-
max time kernel
31s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
-
submitted
04-08-2022 08:02
General
-
Target
FortniteChecker.v.2.0.0/ForniteChecker.v2.0.0.exe
-
Size
1.8MB
-
MD5
6f217b137ff59fd3b821a340c0a35a4e
-
SHA1
1e8dc83be90e3b1c369e393032cbece7d65083b3
-
SHA256
9e6ebe40697a1fa68ca9208dcbe4f8349f52d288b4ced8bd2b07eec6367e025d
-
SHA512
bd5bde451038ba283cc8b0f459f0ef2a89ba0fcee3d6fc1cd246080a84932f1008e681cb608ee40ddc3fb35d37685c3dabf67f8a6686e8650adfba81e431e1dc
Malware Config
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
ElysiumStealer Support DLL 1 IoCs
-
ElysiumStealer payload 2 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\FortniteChecker.v.2.0.0\ForniteChecker.v2.0.0.exe"C:\Users\Admin\AppData\Local\Temp\FortniteChecker.v.2.0.0\ForniteChecker.v2.0.0.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9609.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 18243⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9609.tmp.batFilesize
57B
MD550020e4a79b189d13818b80d87b0b1b5
SHA13d0fa930f254a576fd1df865f8da61c131450848
SHA256d7ca7e17043dbd4821e97437b3e9254b6d60ad03d395e348ae1097646fbd0a57
SHA512eabbe7229b7e414674d64e9f511292170048a4ea87d74f33890e8cdfc62cac62c35f15496491d9ced28a0c5c4bcbcbf66fca60dde51bfbce482f0a9c35667a73
-
\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dllFilesize
40KB
MD594173de2e35aa8d621fc1c4f54b2a082
SHA1fbb2266ee47f88462560f0370edb329554cd5869
SHA2567e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f
SHA512cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798
-
memory/908-62-0x0000000000000000-mapping.dmp
-
memory/1072-63-0x0000000000000000-mapping.dmp
-
memory/1356-61-0x0000000000000000-mapping.dmp
-
memory/1748-59-0x0000000000000000-mapping.dmp
-
memory/1824-54-0x00000000003C0000-0x0000000000592000-memory.dmpFilesize
1.8MB
-
memory/1824-55-0x00000000001F0000-0x00000000001FC000-memory.dmpFilesize
48KB
-
memory/1824-57-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB
-
memory/1824-58-0x0000000004960000-0x00000000049DA000-memory.dmpFilesize
488KB