Analysis
-
max time kernel
51s -
max time network
53s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
04-06-2023 22:33
Behavioral task
behavioral1
Sample
Fortnite.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
Fortnite.exe
Resource
win10v2004-20230220-en
General
-
Target
Fortnite.exe
-
Size
1.1MB
-
MD5
f795b0bb519a53aa55f3a1f8b421708d
-
SHA1
18b0c53280f120d18e224ef389e21a09902da4f4
-
SHA256
0102ee1516fd47fc9cb7ffb31c922e747cc5ce638e2fb0d5e133275e271cd492
-
SHA512
d3a1908461508c6bf322e1aa809b6b04ed27e0722957fcdf5d4f828060f4d4ba76d415ba56b8dad1d9d07129603590fc75699d98014fd79f3bfb8ea051e70180
-
SSDEEP
24576:U2G/nvxW3Ww0tEiau4VjR/qCUzDG6bNUa1BMJWl:UbA30klYS6b26
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3744 4740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 4740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 4740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 4740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4700 4740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 4740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 4740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 4740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3572 4740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 4740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3764 4740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3780 4740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 4740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 4740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 4740 schtasks.exe -
Processes:
resource yara_rule C:\Windows\syscom32.exe dcrat C:\Windows\syscom32.exe dcrat behavioral1/memory/2628-135-0x0000000000EE0000-0x0000000000FB6000-memory.dmp dcrat C:\odt\ShellExperienceHost.exe dcrat C:\Recovery\WindowsRE\dwm.exe dcrat C:\Recovery\WindowsRE\dwm.exe dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
syscom32.exedwm.exepid process 2628 syscom32.exe 3052 dwm.exe -
Drops file in Windows directory 9 IoCs
Processes:
Fortnite.exesyscom32.exedescription ioc process File created C:\Windows\syscom32.exe Fortnite.exe File opened for modification C:\Windows\syscom32.exe Fortnite.exe File created C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe Fortnite.exe File created C:\Windows\kkLuA.bat Fortnite.exe File opened for modification C:\Windows\kkLuA.bat Fortnite.exe File created C:\Windows\PrintDialog\pris\RuntimeBroker.exe syscom32.exe File created C:\Windows\PrintDialog\pris\9e8d7a4ca61bd9 syscom32.exe File created C:\Windows\__tmp_rar_sfx_access_check_240568343 Fortnite.exe File opened for modification C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe Fortnite.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3744 schtasks.exe 3116 schtasks.exe 1708 schtasks.exe 4040 schtasks.exe 4700 schtasks.exe 1564 schtasks.exe 1208 schtasks.exe 3572 schtasks.exe 3764 schtasks.exe 3780 schtasks.exe 2816 schtasks.exe 4720 schtasks.exe 4824 schtasks.exe 4836 schtasks.exe 2572 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
Fortnite.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings Fortnite.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
syscom32.exedwm.exepid process 2628 syscom32.exe 2628 syscom32.exe 2628 syscom32.exe 2628 syscom32.exe 2628 syscom32.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe 3052 dwm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
syscom32.exedwm.exedescription pid process Token: SeDebugPrivilege 2628 syscom32.exe Token: SeDebugPrivilege 3052 dwm.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Fortnite.exeWScript.execmd.exesyscom32.exedescription pid process target process PID 2904 wrote to memory of 4188 2904 Fortnite.exe WScript.exe PID 2904 wrote to memory of 4188 2904 Fortnite.exe WScript.exe PID 2904 wrote to memory of 4188 2904 Fortnite.exe WScript.exe PID 4188 wrote to memory of 4976 4188 WScript.exe cmd.exe PID 4188 wrote to memory of 4976 4188 WScript.exe cmd.exe PID 4188 wrote to memory of 4976 4188 WScript.exe cmd.exe PID 4976 wrote to memory of 2628 4976 cmd.exe syscom32.exe PID 4976 wrote to memory of 2628 4976 cmd.exe syscom32.exe PID 2628 wrote to memory of 3052 2628 syscom32.exe dwm.exe PID 2628 wrote to memory of 3052 2628 syscom32.exe dwm.exe PID 4976 wrote to memory of 3216 4976 cmd.exe reg.exe PID 4976 wrote to memory of 3216 4976 cmd.exe reg.exe PID 4976 wrote to memory of 3216 4976 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fortnite.exe"C:\Users\Admin\AppData\Local\Temp\Fortnite.exe"1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\kkLuA.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\syscom32.exe"C:\Windows\syscom32.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\dwm.exe"C:\Recovery\WindowsRE\dwm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\ShellExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\PrintDialog\pris\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\PrintDialog\pris\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\dwm.exeFilesize
829KB
MD5a0ae20389c09fb809b4d4a842cb890d4
SHA1f30474f81d60a8c27a722dc822c15639eec30f28
SHA256dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7
SHA5122af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce
-
C:\Recovery\WindowsRE\dwm.exeFilesize
829KB
MD5a0ae20389c09fb809b4d4a842cb890d4
SHA1f30474f81d60a8c27a722dc822c15639eec30f28
SHA256dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7
SHA5122af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce
-
C:\Windows\kkLuA.batFilesize
137B
MD5eddbf02b8f63229a6f4670d77d49f965
SHA184dc5aa13c3a7144742df74e28da6a7ad9177a69
SHA25612646d50947198b1c27be43e89905ce71902c186c21f1abbe0dc16919d4ce7ae
SHA512be87f2ec9e7371a7999b8c552af765374d8c5c186df18dea61caa5ca57b1ac9e95b194a31d459e090a5cb32c7908af3e90cb4b2576ccfc191a6043879436681d
-
C:\Windows\syscom32.exeFilesize
829KB
MD5a0ae20389c09fb809b4d4a842cb890d4
SHA1f30474f81d60a8c27a722dc822c15639eec30f28
SHA256dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7
SHA5122af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce
-
C:\Windows\syscom32.exeFilesize
829KB
MD5a0ae20389c09fb809b4d4a842cb890d4
SHA1f30474f81d60a8c27a722dc822c15639eec30f28
SHA256dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7
SHA5122af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce
-
C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbeFilesize
189B
MD5c7c7ffa475aef8dff75df4c55df974af
SHA1ef0427f4f4091c69d488443079477b1d4416e9b2
SHA25619a4bf5506db87cf645f4a6e9af79b85e0d04ac4e7bc948585510dfe99d5ef16
SHA51272fa6c18a83eb5edb303a85de4fb5f759a570aa5281525da6021cc1f0613257fbb5305f7a1bf6f6e3337d9ef707776a372b938f6ae6be777b7e6fe18a9dcba66
-
C:\odt\ShellExperienceHost.exeFilesize
829KB
MD5a0ae20389c09fb809b4d4a842cb890d4
SHA1f30474f81d60a8c27a722dc822c15639eec30f28
SHA256dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7
SHA5122af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce
-
memory/2628-135-0x0000000000EE0000-0x0000000000FB6000-memory.dmpFilesize
856KB
-
memory/2628-136-0x00000000016D0000-0x00000000016E0000-memory.dmpFilesize
64KB
-
memory/3052-152-0x0000000000B10000-0x0000000000B20000-memory.dmpFilesize
64KB
-
memory/3052-153-0x0000000000B10000-0x0000000000B20000-memory.dmpFilesize
64KB
-
memory/3052-154-0x0000000000B10000-0x0000000000B20000-memory.dmpFilesize
64KB
-
memory/3052-155-0x0000000000B10000-0x0000000000B20000-memory.dmpFilesize
64KB
-
memory/3052-156-0x0000000000B10000-0x0000000000B20000-memory.dmpFilesize
64KB
-
memory/3052-157-0x0000000000B10000-0x0000000000B20000-memory.dmpFilesize
64KB
-
memory/3052-158-0x0000000000B10000-0x0000000000B20000-memory.dmpFilesize
64KB
-
memory/3052-159-0x0000000000B10000-0x0000000000B20000-memory.dmpFilesize
64KB