Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
18-07-2023 17:59
Static task
static1
Behavioral task
behavioral1
Sample
Fortnitenls.scr
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Fortnitenls.scr
Resource
win10v2004-20230703-en
General
-
Target
Fortnitenls.scr
-
Size
149KB
-
MD5
141bf998683fbd8da1dd106562844695
-
SHA1
37e11fe2d414045d3c315029eaa26da4793530e2
-
SHA256
ca488f8b7b1918330e11260aff4fc2b353413f10b7390bb6f8d5437f4d5bf2d2
-
SHA512
66269b42a3b1eae9c963a0d97df1759fa29576ac3be8cb4b82c78b5e1eb255cfa69070afd58aeb72f07c80a62acf83fd85b94f1fd9fa5f3e6b76d8e03fd9f110
-
SSDEEP
768:sQ51nPEgDGJ61ktbP13fGrfX+9wqmE/q5/Vj/iF//hKGk4HU3rgJNIIaKTvqXF0x:bDnV261C6X4NmoFEgJycuoGs
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1130093797292900402/tYB3leEFtzF4RkxtyISBBD8JoyElTZ84y-J-gnLkl0c03Bo__qhxshnX3-NkcqxMwsJv
Extracted
njrat
0.7d
ffg
runtimebroker.ddns.net:8080
9cd48799f48622358d39e92cf2b76213
-
reg_key
9cd48799f48622358d39e92cf2b76213
-
splitter
Y262SUCZ4UJJ
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
NtUserRuntime.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9cd48799f48622358d39e92cf2b76213.exe NtUserRuntime.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9cd48799f48622358d39e92cf2b76213.exe NtUserRuntime.exe -
Executes dropped EXE 3 IoCs
Processes:
PerfWatson.exePerfWatson (2).exeNtUserRuntime.exepid process 2932 PerfWatson.exe 1660 PerfWatson (2).exe 596 NtUserRuntime.exe -
Loads dropped DLL 1 IoCs
Processes:
PerfWatson (2).exepid process 1660 PerfWatson (2).exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PerfWatson.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PerfWatson.exe Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PerfWatson.exe Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PerfWatson.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
NtUserRuntime.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\9cd48799f48622358d39e92cf2b76213 = "\"C:\\Users\\Admin\\NtUserRuntime.exe\" .." NtUserRuntime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9cd48799f48622358d39e92cf2b76213 = "\"C:\\Users\\Admin\\NtUserRuntime.exe\" .." NtUserRuntime.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 icanhazip.com 20 icanhazip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
PerfWatson.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 PerfWatson.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier PerfWatson.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2848 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2952 taskkill.exe -
Processes:
PerfWatson.exeFortnitenls.scrdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 PerfWatson.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 PerfWatson.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 PerfWatson.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Fortnitenls.scr Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Fortnitenls.scr Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 PerfWatson.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 PerfWatson.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 PerfWatson.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
PerfWatson.exepid process 2932 PerfWatson.exe 2932 PerfWatson.exe 2932 PerfWatson.exe 2932 PerfWatson.exe 2932 PerfWatson.exe 2932 PerfWatson.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
PerfWatson.exemsiexec.exeNtUserRuntime.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2932 PerfWatson.exe Token: SeRestorePrivilege 1108 msiexec.exe Token: SeTakeOwnershipPrivilege 1108 msiexec.exe Token: SeSecurityPrivilege 1108 msiexec.exe Token: SeDebugPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: SeDebugPrivilege 2952 taskkill.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe Token: 33 596 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 596 NtUserRuntime.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
Fortnitenls.scrPerfWatson (2).exePerfWatson.execmd.execmd.exeNtUserRuntime.execmd.exedescription pid process target process PID 2572 wrote to memory of 2356 2572 Fortnitenls.scr cmd.exe PID 2572 wrote to memory of 2356 2572 Fortnitenls.scr cmd.exe PID 2572 wrote to memory of 2356 2572 Fortnitenls.scr cmd.exe PID 2572 wrote to memory of 2932 2572 Fortnitenls.scr PerfWatson.exe PID 2572 wrote to memory of 2932 2572 Fortnitenls.scr PerfWatson.exe PID 2572 wrote to memory of 2932 2572 Fortnitenls.scr PerfWatson.exe PID 2572 wrote to memory of 2932 2572 Fortnitenls.scr PerfWatson.exe PID 2572 wrote to memory of 1660 2572 Fortnitenls.scr PerfWatson (2).exe PID 2572 wrote to memory of 1660 2572 Fortnitenls.scr PerfWatson (2).exe PID 2572 wrote to memory of 1660 2572 Fortnitenls.scr PerfWatson (2).exe PID 2572 wrote to memory of 1660 2572 Fortnitenls.scr PerfWatson (2).exe PID 1660 wrote to memory of 596 1660 PerfWatson (2).exe NtUserRuntime.exe PID 1660 wrote to memory of 596 1660 PerfWatson (2).exe NtUserRuntime.exe PID 1660 wrote to memory of 596 1660 PerfWatson (2).exe NtUserRuntime.exe PID 1660 wrote to memory of 596 1660 PerfWatson (2).exe NtUserRuntime.exe PID 2932 wrote to memory of 2956 2932 PerfWatson.exe cmd.exe PID 2932 wrote to memory of 2956 2932 PerfWatson.exe cmd.exe PID 2932 wrote to memory of 2956 2932 PerfWatson.exe cmd.exe PID 2932 wrote to memory of 2956 2932 PerfWatson.exe cmd.exe PID 2956 wrote to memory of 1788 2956 cmd.exe chcp.com PID 2956 wrote to memory of 1788 2956 cmd.exe chcp.com PID 2956 wrote to memory of 1788 2956 cmd.exe chcp.com PID 2956 wrote to memory of 1788 2956 cmd.exe chcp.com PID 2956 wrote to memory of 2276 2956 cmd.exe netsh.exe PID 2956 wrote to memory of 2276 2956 cmd.exe netsh.exe PID 2956 wrote to memory of 2276 2956 cmd.exe netsh.exe PID 2956 wrote to memory of 2276 2956 cmd.exe netsh.exe PID 2956 wrote to memory of 2716 2956 cmd.exe findstr.exe PID 2956 wrote to memory of 2716 2956 cmd.exe findstr.exe PID 2956 wrote to memory of 2716 2956 cmd.exe findstr.exe PID 2956 wrote to memory of 2716 2956 cmd.exe findstr.exe PID 2932 wrote to memory of 1828 2932 PerfWatson.exe cmd.exe PID 2932 wrote to memory of 1828 2932 PerfWatson.exe cmd.exe PID 2932 wrote to memory of 1828 2932 PerfWatson.exe cmd.exe PID 2932 wrote to memory of 1828 2932 PerfWatson.exe cmd.exe PID 1828 wrote to memory of 1736 1828 cmd.exe chcp.com PID 1828 wrote to memory of 1736 1828 cmd.exe chcp.com PID 1828 wrote to memory of 1736 1828 cmd.exe chcp.com PID 1828 wrote to memory of 1736 1828 cmd.exe chcp.com PID 1828 wrote to memory of 2188 1828 cmd.exe netsh.exe PID 1828 wrote to memory of 2188 1828 cmd.exe netsh.exe PID 1828 wrote to memory of 2188 1828 cmd.exe netsh.exe PID 1828 wrote to memory of 2188 1828 cmd.exe netsh.exe PID 596 wrote to memory of 1632 596 NtUserRuntime.exe netsh.exe PID 596 wrote to memory of 1632 596 NtUserRuntime.exe netsh.exe PID 596 wrote to memory of 1632 596 NtUserRuntime.exe netsh.exe PID 596 wrote to memory of 1632 596 NtUserRuntime.exe netsh.exe PID 2932 wrote to memory of 2788 2932 PerfWatson.exe cmd.exe PID 2932 wrote to memory of 2788 2932 PerfWatson.exe cmd.exe PID 2932 wrote to memory of 2788 2932 PerfWatson.exe cmd.exe PID 2932 wrote to memory of 2788 2932 PerfWatson.exe cmd.exe PID 2788 wrote to memory of 2924 2788 cmd.exe chcp.com PID 2788 wrote to memory of 2924 2788 cmd.exe chcp.com PID 2788 wrote to memory of 2924 2788 cmd.exe chcp.com PID 2788 wrote to memory of 2924 2788 cmd.exe chcp.com PID 2788 wrote to memory of 2952 2788 cmd.exe taskkill.exe PID 2788 wrote to memory of 2952 2788 cmd.exe taskkill.exe PID 2788 wrote to memory of 2952 2788 cmd.exe taskkill.exe PID 2788 wrote to memory of 2952 2788 cmd.exe taskkill.exe PID 2788 wrote to memory of 2848 2788 cmd.exe timeout.exe PID 2788 wrote to memory of 2848 2788 cmd.exe timeout.exe PID 2788 wrote to memory of 2848 2788 cmd.exe timeout.exe PID 2788 wrote to memory of 2848 2788 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
PerfWatson.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PerfWatson.exe -
outlook_win_path 1 IoCs
Processes:
PerfWatson.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PerfWatson.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fortnitenls.scr"C:\Users\Admin\AppData\Local\Temp\Fortnitenls.scr" /S1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ImGui\FortniterCS.vcxproj2⤵PID:2356
-
C:\Users\Admin\PerfWatson.exe"C:\Users\Admin\PerfWatson.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2932 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1788
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:2276
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:2716
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1736
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵PID:2188
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpED87.tmp.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2924
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 29324⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak4⤵
- Delays execution with timeout.exe
PID:2848 -
C:\Users\Admin\PerfWatson (2).exe"C:\Users\Admin\PerfWatson (2).exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\NtUserRuntime.exe"C:\Users\Admin\NtUserRuntime.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\NtUserRuntime.exe" "NtUserRuntime.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:1632
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50fc34d2b31744235fe9e6bde223eba9a
SHA1d2ad9d5248100cbd82ee888c15930c163afe3861
SHA256f11c013f4e80d36e106035880f161216dbb6699bd44aa1de0934c5a793af3efc
SHA512d8bc27c6d2130fa294b386db907660c2bbcaeee7d3ce6e4805c04e64dff9024338df070ac00dafc0ed5146728016e82808cbc6cb4eea775397150091b407f538
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
57B
MD5d6ad9e604ffa6de5edf54575d15faff8
SHA151a7f9528fa8d3916c4c02ab6cb5d940bf74cc5c
SHA256fca4783d0a61604d49b5ee93af7af69b15c6f36a446cd19141913bf3d6569937
SHA512fb65199e4845f32ee5350041da19c116c6e5434ccb5624f2ed657b529b6e15cf8c6aa24aebe8076eaf32ac90270e576acad15699ea29d5ea6e4ce6c41442a594
-
C:\Users\Admin\AppData\Local\b7af24f9062dfa9f0e384cab8062dfdb\Admin@UMAXQRGK_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\b7af24f9062dfa9f0e384cab8062dfdb\Admin@UMAXQRGK_en-US\Directories\Startup.txt
Filesize24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
C:\Users\Admin\AppData\Local\b7af24f9062dfa9f0e384cab8062dfdb\Admin@UMAXQRGK_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
Filesize
6KB
MD52a6d0300865f4242b266ca36fa5b8b44
SHA1eee2bba839ada3e0366f0c54c9a1ec73b3e53701
SHA256cbee7bc3c5e7006a656b1595d33f76c4e413f9f2b04cfae33ed9dc0821269d5a
SHA5121c74c9e8eb36a0d663ea94d53816501e9c49ccada67af2376e1fce88260c2af2e39fe1292cb47819f09b25f8c944805a65339253db66f66b2013b10b362f4ad4
-
C:\Users\Admin\AppData\Local\b7af24f9062dfa9f0e384cab8062dfdb\Admin@UMAXQRGK_en-US\System\ProductKey.txt
Filesize29B
MD5cad6c6bee6c11c88f5e2f69f0be6deb7
SHA1289d74c3bebe6cca4e1d2e084482ad6d21316c84
SHA256dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0
SHA512e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097
-
Filesize
19B
MD57154104d07ecfcc98d771c1f40b4852f
SHA1ad03c2b66529a6ad529f837c7ba841b12feeb387
SHA2565c94705dce7ff84c1c7020f4f8909439864e4b0c9ba06f2467aabd7a90dc7210
SHA51295d6c56312f242c6a81ad99ef38af1a08939f8620d10566615bb11731b45e0c3ecf80a13c641f33be9b5f300511045b8a32285cd2b8d63c53be36c9650bf56e7
-
Filesize
31KB
MD5ffedb9454cd970240628f9a65ba440e1
SHA190e7557bac4789101f7d53a7823623714f16e740
SHA2563801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4
SHA5129ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41
-
Filesize
31KB
MD5ffedb9454cd970240628f9a65ba440e1
SHA190e7557bac4789101f7d53a7823623714f16e740
SHA2563801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4
SHA5129ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41
-
Filesize
31KB
MD5ffedb9454cd970240628f9a65ba440e1
SHA190e7557bac4789101f7d53a7823623714f16e740
SHA2563801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4
SHA5129ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41
-
Filesize
31KB
MD5ffedb9454cd970240628f9a65ba440e1
SHA190e7557bac4789101f7d53a7823623714f16e740
SHA2563801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4
SHA5129ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41
-
Filesize
31KB
MD5ffedb9454cd970240628f9a65ba440e1
SHA190e7557bac4789101f7d53a7823623714f16e740
SHA2563801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4
SHA5129ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41
-
Filesize
2.9MB
MD51d1da22273bc54c1e9d1c5f94b79655d
SHA191ecd916e9f178468a73bdf7b1dbc79fc6eba929
SHA25667dd4aaad52ce3f19f177ab41004a583dc082c1b068408a53c0533540e687833
SHA51228d01ce3b1ae0eb3da11191604e890b5f5008305778d5957bc5a2c70425c4d874f5c4db6ede34c99926bf52695de33a8e4e2afa12545982fd15a3e7afed8b524
-
Filesize
2.9MB
MD51d1da22273bc54c1e9d1c5f94b79655d
SHA191ecd916e9f178468a73bdf7b1dbc79fc6eba929
SHA25667dd4aaad52ce3f19f177ab41004a583dc082c1b068408a53c0533540e687833
SHA51228d01ce3b1ae0eb3da11191604e890b5f5008305778d5957bc5a2c70425c4d874f5c4db6ede34c99926bf52695de33a8e4e2afa12545982fd15a3e7afed8b524
-
Filesize
2.9MB
MD51d1da22273bc54c1e9d1c5f94b79655d
SHA191ecd916e9f178468a73bdf7b1dbc79fc6eba929
SHA25667dd4aaad52ce3f19f177ab41004a583dc082c1b068408a53c0533540e687833
SHA51228d01ce3b1ae0eb3da11191604e890b5f5008305778d5957bc5a2c70425c4d874f5c4db6ede34c99926bf52695de33a8e4e2afa12545982fd15a3e7afed8b524
-
Filesize
31KB
MD5ffedb9454cd970240628f9a65ba440e1
SHA190e7557bac4789101f7d53a7823623714f16e740
SHA2563801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4
SHA5129ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41