Analysis
-
max time kernel
48s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2023 14:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
SaturnFortnite.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
SaturnFortnite.exe
-
Size
2.0MB
-
MD5
6a1ba7131816623100ddf8e97d06200b
-
SHA1
a4475f56943d22dede436a6ffbb3401556804c86
-
SHA256
bebd4ba0d82d3210f38aa277fdc52f0c7d671d1169ba56c54bc730038f0a49b4
-
SHA512
837831a4a45e3c8c293da3cb86f81dc71f73281cd48ba557e2e107c4f9067add1b87af45c63fffc17f11e03fa7ef38b101e21b81bf2ff9ab25451b532ba4dd82
-
SSDEEP
49152:Kh5QIozWgw59UWxmEG6WG3rXGlUWAH4qnSCaG:gxo09p759rtf4qbaG
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SaturnFortnite.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SaturnFortnite.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SaturnFortnite.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Wine SaturnFortnite.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2656 SaturnFortnite.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2264 2656 WerFault.exe 83 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2656 SaturnFortnite.exe 2656 SaturnFortnite.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4072 taskmgr.exe Token: SeSystemProfilePrivilege 4072 taskmgr.exe Token: SeCreateGlobalPrivilege 4072 taskmgr.exe Token: 33 4072 taskmgr.exe Token: SeIncBasePriorityPrivilege 4072 taskmgr.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
pid Process 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe -
Suspicious use of SendNotifyMessage 45 IoCs
pid Process 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe 4072 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SaturnFortnite.exe"C:\Users\Admin\AppData\Local\Temp\SaturnFortnite.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 10322⤵
- Program crash
PID:2264
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2656 -ip 26561⤵PID:1524
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4072