Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    18-07-2023 17:59

General

  • Target

    Fortnite‮nls.scr

  • Size

    149KB

  • MD5

    141bf998683fbd8da1dd106562844695

  • SHA1

    37e11fe2d414045d3c315029eaa26da4793530e2

  • SHA256

    ca488f8b7b1918330e11260aff4fc2b353413f10b7390bb6f8d5437f4d5bf2d2

  • SHA512

    66269b42a3b1eae9c963a0d97df1759fa29576ac3be8cb4b82c78b5e1eb255cfa69070afd58aeb72f07c80a62acf83fd85b94f1fd9fa5f3e6b76d8e03fd9f110

  • SSDEEP

    768:sQ51nPEgDGJ61ktbP13fGrfX+9wqmE/q5/Vj/iF//hKGk4HU3rgJNIIaKTvqXF0x:bDnV261C6X4NmoFEgJycuoGs

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1130093797292900402/tYB3leEFtzF4RkxtyISBBD8JoyElTZ84y-J-gnLkl0c03Bo__qhxshnX3-NkcqxMwsJv

Extracted

Family

njrat

Version

0.7d

Botnet

ffg

C2

runtimebroker.ddns.net:8080

Mutex

9cd48799f48622358d39e92cf2b76213

Attributes
  • reg_key

    9cd48799f48622358d39e92cf2b76213

  • splitter

    Y262SUCZ4UJJ

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Downloads MZ/PE file
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fortnite‮nls.scr
    "C:\Users\Admin\AppData\Local\Temp\Fortnite‮nls.scr" /S
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ImGui\FortniterCS.vcxproj
      2⤵
        PID:2356
      • C:\Users\Admin\PerfWatson.exe
        "C:\Users\Admin\PerfWatson.exe"
        2⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:2932
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2956
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:1788
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show profile
              4⤵
                PID:2276
              • C:\Windows\SysWOW64\findstr.exe
                findstr All
                4⤵
                  PID:2716
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1828
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  4⤵
                    PID:1736
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh wlan show networks mode=bssid
                    4⤵
                      PID:2188
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpED87.tmp.bat
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2788
                    • C:\Windows\SysWOW64\chcp.com
                      chcp 65001
                      4⤵
                        PID:2924
                      • C:\Windows\SysWOW64\taskkill.exe
                        TaskKill /F /IM 2932
                        4⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2952
                      • C:\Windows\SysWOW64\timeout.exe
                        Timeout /T 2 /Nobreak
                        4⤵
                        • Delays execution with timeout.exe
                        PID:2848
                  • C:\Users\Admin\PerfWatson (2).exe
                    "C:\Users\Admin\PerfWatson (2).exe"
                    2⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:1660
                    • C:\Users\Admin\NtUserRuntime.exe
                      "C:\Users\Admin\NtUserRuntime.exe"
                      3⤵
                      • Drops startup file
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:596
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall add allowedprogram "C:\Users\Admin\NtUserRuntime.exe" "NtUserRuntime.exe" ENABLE
                        4⤵
                        • Modifies Windows Firewall
                        PID:1632
                • C:\Windows\system32\msiexec.exe
                  C:\Windows\system32\msiexec.exe /V
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1108

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  0fc34d2b31744235fe9e6bde223eba9a

                  SHA1

                  d2ad9d5248100cbd82ee888c15930c163afe3861

                  SHA256

                  f11c013f4e80d36e106035880f161216dbb6699bd44aa1de0934c5a793af3efc

                  SHA512

                  d8bc27c6d2130fa294b386db907660c2bbcaeee7d3ce6e4805c04e64dff9024338df070ac00dafc0ed5146728016e82808cbc6cb4eea775397150091b407f538

                • C:\Users\Admin\AppData\Local\Temp\CabD17A.tmp

                  Filesize

                  62KB

                  MD5

                  3ac860860707baaf32469fa7cc7c0192

                  SHA1

                  c33c2acdaba0e6fa41fd2f00f186804722477639

                  SHA256

                  d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

                  SHA512

                  d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

                • C:\Users\Admin\AppData\Local\Temp\TarD1AC.tmp

                  Filesize

                  164KB

                  MD5

                  4ff65ad929cd9a367680e0e5b1c08166

                  SHA1

                  c0af0d4396bd1f15c45f39d3b849ba444233b3a2

                  SHA256

                  c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

                  SHA512

                  f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

                • C:\Users\Admin\AppData\Local\Temp\tmpED87.tmp.bat

                  Filesize

                  57B

                  MD5

                  d6ad9e604ffa6de5edf54575d15faff8

                  SHA1

                  51a7f9528fa8d3916c4c02ab6cb5d940bf74cc5c

                  SHA256

                  fca4783d0a61604d49b5ee93af7af69b15c6f36a446cd19141913bf3d6569937

                  SHA512

                  fb65199e4845f32ee5350041da19c116c6e5434ccb5624f2ed657b529b6e15cf8c6aa24aebe8076eaf32ac90270e576acad15699ea29d5ea6e4ce6c41442a594

                • C:\Users\Admin\AppData\Local\b7af24f9062dfa9f0e384cab8062dfdb\Admin@UMAXQRGK_en-US\Browsers\Firefox\Bookmarks.txt

                  Filesize

                  105B

                  MD5

                  2e9d094dda5cdc3ce6519f75943a4ff4

                  SHA1

                  5d989b4ac8b699781681fe75ed9ef98191a5096c

                  SHA256

                  c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                  SHA512

                  d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

                • C:\Users\Admin\AppData\Local\b7af24f9062dfa9f0e384cab8062dfdb\Admin@UMAXQRGK_en-US\Directories\Startup.txt

                  Filesize

                  24B

                  MD5

                  68c93da4981d591704cea7b71cebfb97

                  SHA1

                  fd0f8d97463cd33892cc828b4ad04e03fc014fa6

                  SHA256

                  889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

                  SHA512

                  63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

                • C:\Users\Admin\AppData\Local\b7af24f9062dfa9f0e384cab8062dfdb\Admin@UMAXQRGK_en-US\Directories\Videos.txt

                  Filesize

                  23B

                  MD5

                  1fddbf1169b6c75898b86e7e24bc7c1f

                  SHA1

                  d2091060cb5191ff70eb99c0088c182e80c20f8c

                  SHA256

                  a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

                  SHA512

                  20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

                • C:\Users\Admin\AppData\Local\b7af24f9062dfa9f0e384cab8062dfdb\Admin@UMAXQRGK_en-US\System\Apps.txt

                  Filesize

                  6KB

                  MD5

                  2a6d0300865f4242b266ca36fa5b8b44

                  SHA1

                  eee2bba839ada3e0366f0c54c9a1ec73b3e53701

                  SHA256

                  cbee7bc3c5e7006a656b1595d33f76c4e413f9f2b04cfae33ed9dc0821269d5a

                  SHA512

                  1c74c9e8eb36a0d663ea94d53816501e9c49ccada67af2376e1fce88260c2af2e39fe1292cb47819f09b25f8c944805a65339253db66f66b2013b10b362f4ad4

                • C:\Users\Admin\AppData\Local\b7af24f9062dfa9f0e384cab8062dfdb\Admin@UMAXQRGK_en-US\System\ProductKey.txt

                  Filesize

                  29B

                  MD5

                  cad6c6bee6c11c88f5e2f69f0be6deb7

                  SHA1

                  289d74c3bebe6cca4e1d2e084482ad6d21316c84

                  SHA256

                  dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

                  SHA512

                  e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

                • C:\Users\Admin\AppData\Local\b7af24f9062dfa9f0e384cab8062dfdb\msgid.dat

                  Filesize

                  19B

                  MD5

                  7154104d07ecfcc98d771c1f40b4852f

                  SHA1

                  ad03c2b66529a6ad529f837c7ba841b12feeb387

                  SHA256

                  5c94705dce7ff84c1c7020f4f8909439864e4b0c9ba06f2467aabd7a90dc7210

                  SHA512

                  95d6c56312f242c6a81ad99ef38af1a08939f8620d10566615bb11731b45e0c3ecf80a13c641f33be9b5f300511045b8a32285cd2b8d63c53be36c9650bf56e7

                • C:\Users\Admin\NtUserRuntime.exe

                  Filesize

                  31KB

                  MD5

                  ffedb9454cd970240628f9a65ba440e1

                  SHA1

                  90e7557bac4789101f7d53a7823623714f16e740

                  SHA256

                  3801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4

                  SHA512

                  9ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41

                • C:\Users\Admin\NtUserRuntime.exe

                  Filesize

                  31KB

                  MD5

                  ffedb9454cd970240628f9a65ba440e1

                  SHA1

                  90e7557bac4789101f7d53a7823623714f16e740

                  SHA256

                  3801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4

                  SHA512

                  9ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41

                • C:\Users\Admin\PerfWatson (2).exe

                  Filesize

                  31KB

                  MD5

                  ffedb9454cd970240628f9a65ba440e1

                  SHA1

                  90e7557bac4789101f7d53a7823623714f16e740

                  SHA256

                  3801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4

                  SHA512

                  9ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41

                • C:\Users\Admin\PerfWatson (2).exe

                  Filesize

                  31KB

                  MD5

                  ffedb9454cd970240628f9a65ba440e1

                  SHA1

                  90e7557bac4789101f7d53a7823623714f16e740

                  SHA256

                  3801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4

                  SHA512

                  9ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41

                • C:\Users\Admin\PerfWatson (2).exe

                  Filesize

                  31KB

                  MD5

                  ffedb9454cd970240628f9a65ba440e1

                  SHA1

                  90e7557bac4789101f7d53a7823623714f16e740

                  SHA256

                  3801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4

                  SHA512

                  9ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41

                • C:\Users\Admin\PerfWatson.exe

                  Filesize

                  2.9MB

                  MD5

                  1d1da22273bc54c1e9d1c5f94b79655d

                  SHA1

                  91ecd916e9f178468a73bdf7b1dbc79fc6eba929

                  SHA256

                  67dd4aaad52ce3f19f177ab41004a583dc082c1b068408a53c0533540e687833

                  SHA512

                  28d01ce3b1ae0eb3da11191604e890b5f5008305778d5957bc5a2c70425c4d874f5c4db6ede34c99926bf52695de33a8e4e2afa12545982fd15a3e7afed8b524

                • C:\Users\Admin\PerfWatson.exe

                  Filesize

                  2.9MB

                  MD5

                  1d1da22273bc54c1e9d1c5f94b79655d

                  SHA1

                  91ecd916e9f178468a73bdf7b1dbc79fc6eba929

                  SHA256

                  67dd4aaad52ce3f19f177ab41004a583dc082c1b068408a53c0533540e687833

                  SHA512

                  28d01ce3b1ae0eb3da11191604e890b5f5008305778d5957bc5a2c70425c4d874f5c4db6ede34c99926bf52695de33a8e4e2afa12545982fd15a3e7afed8b524

                • C:\Users\Admin\PerfWatson.exe

                  Filesize

                  2.9MB

                  MD5

                  1d1da22273bc54c1e9d1c5f94b79655d

                  SHA1

                  91ecd916e9f178468a73bdf7b1dbc79fc6eba929

                  SHA256

                  67dd4aaad52ce3f19f177ab41004a583dc082c1b068408a53c0533540e687833

                  SHA512

                  28d01ce3b1ae0eb3da11191604e890b5f5008305778d5957bc5a2c70425c4d874f5c4db6ede34c99926bf52695de33a8e4e2afa12545982fd15a3e7afed8b524

                • \Users\Admin\NtUserRuntime.exe

                  Filesize

                  31KB

                  MD5

                  ffedb9454cd970240628f9a65ba440e1

                  SHA1

                  90e7557bac4789101f7d53a7823623714f16e740

                  SHA256

                  3801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4

                  SHA512

                  9ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41

                • memory/596-109-0x0000000074690000-0x0000000074C3B000-memory.dmp

                  Filesize

                  5.7MB

                • memory/596-181-0x0000000074690000-0x0000000074C3B000-memory.dmp

                  Filesize

                  5.7MB

                • memory/1660-97-0x0000000074690000-0x0000000074C3B000-memory.dmp

                  Filesize

                  5.7MB

                • memory/1660-108-0x0000000074690000-0x0000000074C3B000-memory.dmp

                  Filesize

                  5.7MB

                • memory/1660-96-0x0000000001F50000-0x0000000001F90000-memory.dmp

                  Filesize

                  256KB

                • memory/1660-98-0x0000000074690000-0x0000000074C3B000-memory.dmp

                  Filesize

                  5.7MB

                • memory/2932-99-0x0000000000B30000-0x0000000000B70000-memory.dmp

                  Filesize

                  256KB

                • memory/2932-107-0x0000000074D40000-0x000000007542E000-memory.dmp

                  Filesize

                  6.9MB

                • memory/2932-281-0x0000000006900000-0x00000000069B2000-memory.dmp

                  Filesize

                  712KB

                • memory/2932-179-0x0000000000B30000-0x0000000000B70000-memory.dmp

                  Filesize

                  256KB

                • memory/2932-177-0x0000000000B30000-0x0000000000B70000-memory.dmp

                  Filesize

                  256KB

                • memory/2932-223-0x0000000006740000-0x00000000067BA000-memory.dmp

                  Filesize

                  488KB

                • memory/2932-353-0x0000000006240000-0x00000000062CE000-memory.dmp

                  Filesize

                  568KB

                • memory/2932-354-0x0000000000890000-0x00000000008AA000-memory.dmp

                  Filesize

                  104KB

                • memory/2932-374-0x0000000000B30000-0x0000000000B70000-memory.dmp

                  Filesize

                  256KB

                • memory/2932-95-0x0000000074D40000-0x000000007542E000-memory.dmp

                  Filesize

                  6.9MB

                • memory/2932-94-0x0000000000B70000-0x0000000000E60000-memory.dmp

                  Filesize

                  2.9MB

                • memory/2932-383-0x0000000074D40000-0x000000007542E000-memory.dmp

                  Filesize

                  6.9MB