Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-08-2022 04:26
Static task
static1
Behavioral task
behavioral1
Sample
Fortnite Internal Esp AIm Clean Full_nls..scr
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Fortnite Internal Esp AIm Clean Full_nls..scr
Resource
win10v2004-20220812-en
General
-
Target
Fortnite Internal Esp AIm Clean Full_nls..scr
-
Size
2.6MB
-
MD5
5361a2f1d174599ebc5b6cc31daf86f2
-
SHA1
ade74d0abac77203629b81513a739f11b39a52ef
-
SHA256
55af1ee79176f2503dc6cee5464344e6bbcaa4e37b4ae7217922c8e56ec395cf
-
SHA512
96381c583b975e4c2cd7ec70bd955936c48a9737036234241e37e73baf81c96cb28ab28d2fe3c53ed1e8ce0be641fba653d7e6877770cb8f60fb32f2c7b703b4
-
SSDEEP
49152:j8ASxr7FEi5LbunhHpj5G3FVhIdag5SNHeGJWrz:jTSt7FEGnCdpj5G3FVq18gGJ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Fortnite Internal Esp AIm Clean Full_nls..scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoftt\\DefenderProtector.exe\"," Fortnite Internal Esp AIm Clean Full_nls..scr -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
tmp5024.tmp.exeBLACKNET.EXESERVICEEDEFENDER.EXEWINDOWSDEFENDRSMARTSCREEN.EXEWINDOWSSECUTIYHALTHYSERVICE.EXEpid process 1056 tmp5024.tmp.exe 1620 BLACKNET.EXE 2012 SERVICEEDEFENDER.EXE 1172 WINDOWSDEFENDRSMARTSCREEN.EXE 940 WINDOWSSECUTIYHALTHYSERVICE.EXE -
Loads dropped DLL 4 IoCs
Processes:
tmp5024.tmp.exepid process 1056 tmp5024.tmp.exe 1056 tmp5024.tmp.exe 1056 tmp5024.tmp.exe 1056 tmp5024.tmp.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\.sln rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\.sln\ = "sln_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\sln_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\sln_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\sln_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\sln_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\sln_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000_CLASSES\sln_auto_file rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Fortnite Internal Esp AIm Clean Full_nls..scrpid process 456 Fortnite Internal Esp AIm Clean Full_nls..scr 456 Fortnite Internal Esp AIm Clean Full_nls..scr 456 Fortnite Internal Esp AIm Clean Full_nls..scr -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
Fortnite Internal Esp AIm Clean Full_nls..scrExplorer.EXEBLACKNET.EXEWINDOWSSECUTIYHALTHYSERVICE.EXEWINDOWSDEFENDRSMARTSCREEN.EXESERVICEEDEFENDER.EXEdescription pid process Token: SeDebugPrivilege 456 Fortnite Internal Esp AIm Clean Full_nls..scr Token: SeShutdownPrivilege 1400 Explorer.EXE Token: SeDebugPrivilege 1400 Explorer.EXE Token: SeShutdownPrivilege 1400 Explorer.EXE Token: SeDebugPrivilege 1620 BLACKNET.EXE Token: SeDebugPrivilege 940 WINDOWSSECUTIYHALTHYSERVICE.EXE Token: SeDebugPrivilege 1172 WINDOWSDEFENDRSMARTSCREEN.EXE Token: SeDebugPrivilege 2012 SERVICEEDEFENDER.EXE Token: SeShutdownPrivilege 1400 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 480 AcroRd32.exe 480 AcroRd32.exe 480 AcroRd32.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
Fortnite Internal Esp AIm Clean Full_nls..scrrundll32.exeExplorer.EXEtmp5024.tmp.exedescription pid process target process PID 456 wrote to memory of 1144 456 Fortnite Internal Esp AIm Clean Full_nls..scr rundll32.exe PID 456 wrote to memory of 1144 456 Fortnite Internal Esp AIm Clean Full_nls..scr rundll32.exe PID 456 wrote to memory of 1144 456 Fortnite Internal Esp AIm Clean Full_nls..scr rundll32.exe PID 1144 wrote to memory of 480 1144 rundll32.exe AcroRd32.exe PID 1144 wrote to memory of 480 1144 rundll32.exe AcroRd32.exe PID 1144 wrote to memory of 480 1144 rundll32.exe AcroRd32.exe PID 1144 wrote to memory of 480 1144 rundll32.exe AcroRd32.exe PID 456 wrote to memory of 1400 456 Fortnite Internal Esp AIm Clean Full_nls..scr Explorer.EXE PID 1400 wrote to memory of 1056 1400 Explorer.EXE tmp5024.tmp.exe PID 1400 wrote to memory of 1056 1400 Explorer.EXE tmp5024.tmp.exe PID 1400 wrote to memory of 1056 1400 Explorer.EXE tmp5024.tmp.exe PID 1400 wrote to memory of 1056 1400 Explorer.EXE tmp5024.tmp.exe PID 1056 wrote to memory of 1620 1056 tmp5024.tmp.exe BLACKNET.EXE PID 1056 wrote to memory of 1620 1056 tmp5024.tmp.exe BLACKNET.EXE PID 1056 wrote to memory of 1620 1056 tmp5024.tmp.exe BLACKNET.EXE PID 1056 wrote to memory of 1620 1056 tmp5024.tmp.exe BLACKNET.EXE PID 1056 wrote to memory of 1620 1056 tmp5024.tmp.exe BLACKNET.EXE PID 1056 wrote to memory of 1620 1056 tmp5024.tmp.exe BLACKNET.EXE PID 1056 wrote to memory of 1620 1056 tmp5024.tmp.exe BLACKNET.EXE PID 1056 wrote to memory of 2012 1056 tmp5024.tmp.exe SERVICEEDEFENDER.EXE PID 1056 wrote to memory of 2012 1056 tmp5024.tmp.exe SERVICEEDEFENDER.EXE PID 1056 wrote to memory of 2012 1056 tmp5024.tmp.exe SERVICEEDEFENDER.EXE PID 1056 wrote to memory of 2012 1056 tmp5024.tmp.exe SERVICEEDEFENDER.EXE PID 1056 wrote to memory of 1172 1056 tmp5024.tmp.exe WINDOWSDEFENDRSMARTSCREEN.EXE PID 1056 wrote to memory of 1172 1056 tmp5024.tmp.exe WINDOWSDEFENDRSMARTSCREEN.EXE PID 1056 wrote to memory of 1172 1056 tmp5024.tmp.exe WINDOWSDEFENDRSMARTSCREEN.EXE PID 1056 wrote to memory of 1172 1056 tmp5024.tmp.exe WINDOWSDEFENDRSMARTSCREEN.EXE PID 1056 wrote to memory of 1172 1056 tmp5024.tmp.exe WINDOWSDEFENDRSMARTSCREEN.EXE PID 1056 wrote to memory of 1172 1056 tmp5024.tmp.exe WINDOWSDEFENDRSMARTSCREEN.EXE PID 1056 wrote to memory of 1172 1056 tmp5024.tmp.exe WINDOWSDEFENDRSMARTSCREEN.EXE PID 1056 wrote to memory of 940 1056 tmp5024.tmp.exe WINDOWSSECUTIYHALTHYSERVICE.EXE PID 1056 wrote to memory of 940 1056 tmp5024.tmp.exe WINDOWSSECUTIYHALTHYSERVICE.EXE PID 1056 wrote to memory of 940 1056 tmp5024.tmp.exe WINDOWSSECUTIYHALTHYSERVICE.EXE PID 1056 wrote to memory of 940 1056 tmp5024.tmp.exe WINDOWSSECUTIYHALTHYSERVICE.EXE PID 1056 wrote to memory of 940 1056 tmp5024.tmp.exe WINDOWSSECUTIYHALTHYSERVICE.EXE PID 1056 wrote to memory of 940 1056 tmp5024.tmp.exe WINDOWSSECUTIYHALTHYSERVICE.EXE PID 1056 wrote to memory of 940 1056 tmp5024.tmp.exe WINDOWSSECUTIYHALTHYSERVICE.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fortnite Internal Esp AIm Clean Full_nls..scr"C:\Users\Admin\AppData\Local\Temp\Fortnite Internal Esp AIm Clean Full_nls..scr" /S2⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Gngwnbcqyucvbwsgwyojoproject.sln3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Gngwnbcqyucvbwsgwyojoproject.sln"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\tmp5024.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5024.tmp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\BLACKNET.EXE"C:\Users\Admin\AppData\Roaming\BLACKNET.EXE"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\SERVICEEDEFENDER.EXE"C:\Users\Admin\AppData\Roaming\SERVICEEDEFENDER.EXE"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDRSMARTSCREEN.EXE"C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDRSMARTSCREEN.EXE"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WINDOWSSECUTIYHALTHYSERVICE.EXE"C:\Users\Admin\AppData\Roaming\WINDOWSSECUTIYHALTHYSERVICE.EXE"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Gngwnbcqyucvbwsgwyojoproject.slnFilesize
1KB
MD5aeee58518da7889951bf8aae1696ce79
SHA1a7fe2d1ca76bbdf519a724baf714cb53341617ac
SHA256e85a8310a266e15e043261400ef7caef5f19d5fb60fff0c359db292d172e2ca7
SHA512f54e34e805225b7d56e1a9a48b5f41939c4a525dfdd9d8f718161794f66bcfb66459689738615be8eccd54998ec173c24b565c8252b09ca0e23c62117f18b77b
-
C:\Users\Admin\AppData\Local\Temp\tmp5024.tmp.exeFilesize
928KB
MD5a1cb188468d9e8699e98a07eec4e1a86
SHA1ed41e241d733496ad0edcfe3c2270c55f55884ca
SHA256dcb96304f914dad4a7766c66c5847fa13b872e6188e426ae59038c6e11e3c594
SHA5128cf987d14158f78c69952a42dbbcc2861174331d034841a6d78e42926b470fa0e5f9a31740595b98b1c4e54028f6a9680d8790424f893918388d771c87438ce6
-
C:\Users\Admin\AppData\Roaming\BLACKNET.EXEFilesize
132KB
MD55361492a445395b3abdd3a8d430090dd
SHA1a0f92e46bfcdcdda574130abd6f57a9e6b2a90f0
SHA2561eebad9bce22f20abfb8b61eeeaf8ad1166fd23d8b350af22b06392c53bc2802
SHA51292bf6b2fa52a208387bc5c5970d26208b91668e95196708bf393ff1a781fc4174cbbcf8942ce9fc4df2d6fdbe751a46517daa2c28081b4862434304deebda305
-
C:\Users\Admin\AppData\Roaming\BLACKNET.EXEFilesize
132KB
MD55361492a445395b3abdd3a8d430090dd
SHA1a0f92e46bfcdcdda574130abd6f57a9e6b2a90f0
SHA2561eebad9bce22f20abfb8b61eeeaf8ad1166fd23d8b350af22b06392c53bc2802
SHA51292bf6b2fa52a208387bc5c5970d26208b91668e95196708bf393ff1a781fc4174cbbcf8942ce9fc4df2d6fdbe751a46517daa2c28081b4862434304deebda305
-
C:\Users\Admin\AppData\Roaming\SERVICEEDEFENDER.EXEFilesize
346KB
MD5c21905b87778932cb51b4715d00e7e7e
SHA1642c4371d36e27cb165a4eb0b7037d4eebdf4dd5
SHA2564f120c8ebabebcb9de147e7e0d087b38d86c67aed5889b72a417afdba8008551
SHA512213e611b240041b2e1eaa91d5d28cec7d309e06fc528e37cacc64b1014128f106e906bb1ccbdd22d6df59de938af5c76542e7f3f05534cb0662dff57adbedde3
-
C:\Users\Admin\AppData\Roaming\SERVICEEDEFENDER.EXEFilesize
346KB
MD5c21905b87778932cb51b4715d00e7e7e
SHA1642c4371d36e27cb165a4eb0b7037d4eebdf4dd5
SHA2564f120c8ebabebcb9de147e7e0d087b38d86c67aed5889b72a417afdba8008551
SHA512213e611b240041b2e1eaa91d5d28cec7d309e06fc528e37cacc64b1014128f106e906bb1ccbdd22d6df59de938af5c76542e7f3f05534cb0662dff57adbedde3
-
C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDRSMARTSCREEN.EXEFilesize
132KB
MD517fb18573b1dc1054c54f75d03f6a654
SHA135215aab38d1c308f2ed7c42b0d363d083e2b23b
SHA256d131775334ba49896d6566cc77063010bb6f2221ae4816e6dab133bad691f2f1
SHA512b6e4ce10eb1342bcbddbb9801de1a7b78c6e385005914adbaad8580d4ceeb125202528d22b4c13ec3e7976f5a471ce7c763aea19eb980282627d0383ba712b3f
-
C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDRSMARTSCREEN.EXEFilesize
132KB
MD517fb18573b1dc1054c54f75d03f6a654
SHA135215aab38d1c308f2ed7c42b0d363d083e2b23b
SHA256d131775334ba49896d6566cc77063010bb6f2221ae4816e6dab133bad691f2f1
SHA512b6e4ce10eb1342bcbddbb9801de1a7b78c6e385005914adbaad8580d4ceeb125202528d22b4c13ec3e7976f5a471ce7c763aea19eb980282627d0383ba712b3f
-
C:\Users\Admin\AppData\Roaming\WINDOWSSECUTIYHALTHYSERVICE.EXEFilesize
132KB
MD5e8a55a613d23e48cec6bcffe953f422e
SHA13140be37c0cfc5d128ad7558ce88cb520ad4ee20
SHA256bad7ea46205f801d461cd295f246b7ab6c8a0dbd6d93c0021f9e04b0c8f49f97
SHA512dd6e34824d0811c3f7409bf8882b033bba270fc0d7a4d783d21359ac0043975700e0d1f6a08f33e41d8283eb1ba65881a29e67eaa3ea11ccc4d32eabaca28daf
-
C:\Users\Admin\AppData\Roaming\WINDOWSSECUTIYHALTHYSERVICE.EXEFilesize
132KB
MD5e8a55a613d23e48cec6bcffe953f422e
SHA13140be37c0cfc5d128ad7558ce88cb520ad4ee20
SHA256bad7ea46205f801d461cd295f246b7ab6c8a0dbd6d93c0021f9e04b0c8f49f97
SHA512dd6e34824d0811c3f7409bf8882b033bba270fc0d7a4d783d21359ac0043975700e0d1f6a08f33e41d8283eb1ba65881a29e67eaa3ea11ccc4d32eabaca28daf
-
\Users\Admin\AppData\Roaming\BLACKNET.EXEFilesize
132KB
MD55361492a445395b3abdd3a8d430090dd
SHA1a0f92e46bfcdcdda574130abd6f57a9e6b2a90f0
SHA2561eebad9bce22f20abfb8b61eeeaf8ad1166fd23d8b350af22b06392c53bc2802
SHA51292bf6b2fa52a208387bc5c5970d26208b91668e95196708bf393ff1a781fc4174cbbcf8942ce9fc4df2d6fdbe751a46517daa2c28081b4862434304deebda305
-
\Users\Admin\AppData\Roaming\SERVICEEDEFENDER.EXEFilesize
346KB
MD5c21905b87778932cb51b4715d00e7e7e
SHA1642c4371d36e27cb165a4eb0b7037d4eebdf4dd5
SHA2564f120c8ebabebcb9de147e7e0d087b38d86c67aed5889b72a417afdba8008551
SHA512213e611b240041b2e1eaa91d5d28cec7d309e06fc528e37cacc64b1014128f106e906bb1ccbdd22d6df59de938af5c76542e7f3f05534cb0662dff57adbedde3
-
\Users\Admin\AppData\Roaming\WINDOWSDEFENDRSMARTSCREEN.EXEFilesize
132KB
MD517fb18573b1dc1054c54f75d03f6a654
SHA135215aab38d1c308f2ed7c42b0d363d083e2b23b
SHA256d131775334ba49896d6566cc77063010bb6f2221ae4816e6dab133bad691f2f1
SHA512b6e4ce10eb1342bcbddbb9801de1a7b78c6e385005914adbaad8580d4ceeb125202528d22b4c13ec3e7976f5a471ce7c763aea19eb980282627d0383ba712b3f
-
\Users\Admin\AppData\Roaming\WINDOWSSECUTIYHALTHYSERVICE.EXEFilesize
132KB
MD5e8a55a613d23e48cec6bcffe953f422e
SHA13140be37c0cfc5d128ad7558ce88cb520ad4ee20
SHA256bad7ea46205f801d461cd295f246b7ab6c8a0dbd6d93c0021f9e04b0c8f49f97
SHA512dd6e34824d0811c3f7409bf8882b033bba270fc0d7a4d783d21359ac0043975700e0d1f6a08f33e41d8283eb1ba65881a29e67eaa3ea11ccc4d32eabaca28daf
-
memory/456-66-0x000000001BB27000-0x000000001BB46000-memory.dmpFilesize
124KB
-
memory/456-67-0x0000000077920000-0x0000000077AC9000-memory.dmpFilesize
1.7MB
-
memory/456-64-0x000000001BB27000-0x000000001BB46000-memory.dmpFilesize
124KB
-
memory/456-63-0x0000000077920000-0x0000000077AC9000-memory.dmpFilesize
1.7MB
-
memory/456-62-0x0000000077920000-0x0000000077AC9000-memory.dmpFilesize
1.7MB
-
memory/456-58-0x000000001BB27000-0x000000001BB46000-memory.dmpFilesize
124KB
-
memory/456-54-0x00000000000E0000-0x0000000000380000-memory.dmpFilesize
2.6MB
-
memory/456-55-0x000000001B340000-0x000000001B5A4000-memory.dmpFilesize
2.4MB
-
memory/480-60-0x0000000075D31000-0x0000000075D33000-memory.dmpFilesize
8KB
-
memory/480-59-0x0000000000000000-mapping.dmp
-
memory/940-84-0x0000000000000000-mapping.dmp
-
memory/940-90-0x0000000000EB0000-0x0000000000ED6000-memory.dmpFilesize
152KB
-
memory/1056-68-0x0000000000000000-mapping.dmp
-
memory/1144-56-0x0000000000000000-mapping.dmp
-
memory/1144-57-0x000007FEFC1A1000-0x000007FEFC1A3000-memory.dmpFilesize
8KB
-
memory/1172-80-0x0000000000000000-mapping.dmp
-
memory/1172-89-0x0000000000E40000-0x0000000000E66000-memory.dmpFilesize
152KB
-
memory/1400-65-0x0000000006090000-0x00000000060EC000-memory.dmpFilesize
368KB
-
memory/1620-72-0x0000000000000000-mapping.dmp
-
memory/1620-87-0x0000000000A00000-0x0000000000A26000-memory.dmpFilesize
152KB
-
memory/2012-76-0x0000000000000000-mapping.dmp
-
memory/2012-88-0x0000000000070000-0x00000000000CC000-memory.dmpFilesize
368KB